GDPR
Dutch AP Warns: Orgs Fail to Limit Data Breach Impact
By Steven | TrustYourWebsite2 min read
Source: Security.NL
According to Security.NL, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) has published a position paper stating that many organisations fail to take measures to limit the impact of data breaches. The paper was published ahead of a parliamentary roundtable discussion scheduled for 21 May 2026.
What did the AP say?
According to Security.NL, the AP identified three areas where improvement is urgently needed: achieving a high level of security, limiting the consequences of data breaches, and ensuring adequate supervision.
The AP reportedly stressed that a data breach can happen to any organisation. Because of this, it is not enough to focus only on preventing breaches. Organisations should also take steps to reduce the damage when a breach does occur.
Specifically, the AP pointed to three basic measures that organisations are reportedly still failing to follow:
- Data minimisation: only collect and process personal data that is strictly necessary
- Retention periods: do not keep personal data longer than needed
- Notification: inform people affected by a data breach properly and promptly
According to Security.NL, the AP noted that it currently sees these basic measures being ignored too often.
Supervision under pressure
The position paper also reportedly raised concerns about the supervision of both the AVG (the Dutch term for GDPR) and the Cyberbeveiligingswet. According to Security.NL, the AP indicated it cannot guarantee adequate oversight of these laws due to a lack of capacity. The authority reportedly stated it should be spending significantly more time on preventive supervision, for example checking whether organisations are meeting their obligations around data minimisation and retention, but currently has little capacity to do so.
The roundtable on 21 May 2026 will bring together the AP and several other organisations to discuss cybersecurity and information security. The outcomes of that discussion are not yet known.
What does this mean for your website?
If your website collects personal data, such as names, email addresses or order details, the AP's position paper is a reminder to check whether you are only storing what you truly need and whether you delete it when it is no longer necessary. A good starting point is our GDPR compliance checklist and our guide on privacy policy requirements. Even small businesses are expected to follow these basic rules under the AVG.
Check your website now
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkRelated articles
CookiesGDPR
ICO's New Cookie Rules: What UK Website Owners Need to Do
The ICO has published its final guidance on cookies and tracking tech. Here's what changed under the new rules and what your UK website needs to check now.
5 min read
GDPR
EU Age Verification App Guidance for 2026
De Europese Commissie adviseert lidstaten voor het einde van 2026 gebruik te maken van de EU-leeftijdsverificatieapp.
3 min read
GDPR
Belgian Tech Firm Fined 176k for Keeping Ex-Employee Mailbox
A large Belgian tech company received a total fine of 176,000 euro from the Belgian Data Protection Authority for failing to timely delete the mailbox of a former female employee.
2 min read