Dutch GDPR Survey 2019


Amsterdam, NL - 11th December 2019 - One-third of Dutch employees do not know whether measures have been taken within their company to comply with GDPR requirements, despite the fact that this legislation has been in force for more than a year and a half. While some companies invest in training for their employees, on the whole Dutch organisations fell short, as highlighted by the face that 32% of employees don't know whether a business email encryption solution is available to them.

These results were highlighted a study commissioned by Egress, a provider of human layer email security solutions, and conducted by Markteffect among more than 250 Dutch employees.

'Regular' employees are less well-informed

Although in many organisations employees, their behaviours and the actions they take are at the center of GDPR policy, the study showed a lack of awareness among employees. It seems that those responsible for information security within organisations have a predictable greater awareness of GDPR policy, but that this knowledge is insufficiently shared with the wider staff group. For example, the percentage of people with final and co-responsibility who indicated that an email encryption solution is available within their organisation is significantly higher than that of non-responsible persons: 75% versus 33%. And where almost half of those not responsible for GDPR policy don't know whether the legislation has caused changes in the way their organisation shares information, only 10% of 'responsible' employees are unaware.

Almost 16% of all respondents indicated that company data or company-sensitive information has been accidentally made public by someone within their organisation. Here too, a clear difference can be seen between employees responsible for information security and non-responsible persons: 32% compared to 7%, which indicates that by no means all data breaches are reported by companies to their staff. The record number of data breaches that have already been reported to the Dutch Data Protection Authority this year also supports this conclusion.

On the positive side: the results also show that half of employees are aware of the policy changes that have been implemented as a result of the GDPR legislation. In the majority of cases (52%), this involves training employees. Almost 55% of the respondents also indicate that information security for more employees within the company has become part of their normal working duties.

Discrepancies within organisations

Axel van Drongelen, Benelux General Manager at Egress, said: “The research clearly shows that there's a discrepancy between the policy outlined by organisational leaders and the interpretation by the staff who are expected to implement this policy. Employees who are not responsible for information security, for example, are much less aware of the danger that irresponsible handling of company-sensitive data entails. This is evident, for example, from the fact that respondents who are responsible for information security more often indicate that unconscious data breaches arise via external tools such as WeTransfer or FTP services. This indicates that employees are looking for ways to circumvent security measures, also because there is more frequent use of an email encryption solution. They therefore do not consider the risks of their behaviour."

Van Drongelen therefore argues for creating even more awareness among employees: “If you don't know that you're doing something wrong, you cannot improve your behaviour. It's positive to see that many companies invest in training for their employees when it comes to sharing information. At the same time, it appears that much more awareness is needed to reduce the danger of unconscious internal data breaches."

Biggest fear of data breaches is within healthcare

The study also looked at the differences between sectors, such as healthcare, financial services, public sector and commerce. Healthcare employees appear to have the greatest fear of unconscious internal data breaches, with 32% saying this is the greatest threat to IT security. This is considerably higher than the overall survey average of 23%. Since the healthcare sector is also a leader in the reporting of data breaches to the Dutch Data Protection Authority, this fear does not seem unfounded. Commercial service employees score slightly above average with 23%.

Employees at financial institutions are most GDPR aware, with 81% of the respondents working in this sector indicating that changes have been made as a result of the legislation. In the government and healthcare sectors, this drops to 50%. Accidental leakage of personal or business-sensitive information within healthcare is of concern to 20% above average, which can be attributed to the fact that personal information is more often shared externally via email (60% versus 49% on average).

Van Drongelen: “Healthcare is pre-eminently a sector where a lot of personal information is exchanged. But here too we see that more than a quarter of the employees do not know whether the policy for sharing information has changed as a result of GDPR. Also striking: almost 15% of healthcare workers believe that their company is not at all risk when it comes to IT security. This also indicates a lack of awareness."

The full report will be available in January 2020

Contact our PR team

Jordan Brackenbury

Jordan Brackenbury

Public Relations Manager

Email Jordan


Rebecca Bailey

Senior Corporate Marketing Manager

Email Rebecca

About Egress

Our mission is to eliminate the most complex cybersecurity challenge every organisation faces: insider risk. We understand that people get hacked, make mistakes, and break the rules. To prevent these human-activated breaches, we have built the only Human Layer Security platform that defends against inbound and outbound threats. Using patented contextual machine learning we detect and prevent abnormal human behaviour such as misdirected emails, data exfiltration, and targeted spear-phishing attacks.

Used by the world’s biggest brands, Egress is private equity backed and has offices in London, New York, and Boston.

You might also be interested in ...