‘Make agreements
and make them watertight!’

Ad Reuijl

More and more companies find their way to the CIP, the Dutch centre for information security and privacy protection. This is the place where you need to be if you want to protect information and ensure customer privacy.

Do you want to know more about the GDPR? Come to the CIP. This network organisation, which serves government agencies and private businesses, aims above all to share its expertise in information security and privacy protection. The CIP was set up in 2012 by four government agencies, which all processed a huge amount of people’s personal data: the UWV, the Sociale Verzekeringsbank, Dutch tax authority and education agency, DUO. Co-founder and director Ad Reuijl explains: ‘We all saw that we were becoming increasingly vulnerable to hackers. The triggers to start the CIP were two famous hacks. The first was the leak at Diginotar in 2011. This company issued safety certificates for government websites but was very sloppy with its basic security. For example, it didn’t use virus scanners and worked with out-of-date software, which made it easy for hackers to get in. Diginotar went out of business. A second incident was the work of ICT security journalist Brenno de Winter, who showed how a child could crack the websites of various government departments.’

Not a clue

When the CIP started in 2012, nobody knew anything about cyber attacks, says Reuijl: ‘Most companies, and certainly government agencies, did not have the slightest idea of ​​the rapidly increasing threat and security methods available. That awareness has fortunately increased considerably in recent years at many organisations. Legislation – like mandatory notification of data breaches from the Personal Data Protection Act and now GDPR – forces them to work hard on information security and privacy protection. This is an absolute necessity, given increasing digitisation. '

But we can forget again just as quickly, Reuijl warns: ‘We see media scandals all the time, like the recent controversy about Facebook. It’s the same old story: everyone is whipped up into a frenzy, questions are asked in parliament, there’s a furore. But a few weeks later, it has disappeared.’

Ad Reuijl

Ad Reuijl (62) ran ICT projects for temporary employment agencies before working as manager of system development at the GAK. He then joined PinkRoccade, which later merged with Getronics. Reuijl subsequently moved to the UWV, where he joined the ICT management team. In 2012, he became director of the CIP, the Dutch centre for information security and privacy protection.

Companies more alert than governments

This is why Reuijl welcomes legislation such as the GDPR: it forces companies and government institutions to sort themselves out, shake up the organisation, order, improve and control it better. ‘GDPR helps European companies take a stand against malicious organisations from outside Europe,’ he adds. And there’s another bonus: ‘Handling personal data correctly or simply better, makes for better data processing, improving the service and image of the organisation. Companies tend to perform better on average than public services, probably because they have more at stake – for example, the worst result of reputational damage could be bankruptcy. '

Quick lessons

The CIP helps organisations with a wide range of products, guidelines, model agreements and best practices, focused on designing software and hardware safely and – just as importantly – guiding employee behaviour. ‘In 2016 we set up a comprehensive product line called “Getting to grips with privacy” (see box),’ says Reuijl. ‘This includes the privacy self-assessment, so you can quickly map out where you are. You can download this free; filling it in takes about half an hour. Then you get advice about what you still have to do to protect privacy properly. Even if you probably can’t be 100% safe, this scan is certainly a good tool to create, strengthen and maintain awareness of customer privacy in organisations. '

‘After a leak,


follows quickly…
and goes quickly too’

Develop secure software

In addition to the focus on the employee behaviour, the CIP also works on Secure Software Development. ‘With SSD, the CIP offers a clear standard framework to develop and maintain well-protected software for clients, IT suppliers and internal departments,’ adds Reuijl. ‘We estimate that about three-quarters of all security incidents are caused by software security deficiencies.’ So secure software is critical to protect personal and business data. ‘With our SSD standards, organisations can build software that minimises the risk of leaks and other cyber threats,’ he says.

Privacy agreements with partners

As an organisation, you are never alone but part of a network. So it’s a good idea to agree with your most important partners what sensitive data you exchange and how you manage security, says Reuijl: ‘Under GDPR, you can’t simply eliminate risk and liability by pointing at someone else. Our working group and privacy expert Ruben Tienhooven of BDO have written a guide to agreements that you can make with your network and people who process data. We suggest possibilities including a template agreement. Our motto is: make agreements, and make them watertight!’