Security and Privacy

Security

We are continually enhancing our information and cybersecurity practices within the company. The evolving landscape necessitates this effort to address the cybersecurity risks we encounter and to meet the security requirements of our clients and partners. They increasingly demand certifications along with exacting standards of information security.
Cyber threats are evolving quickly, making information security essential for our knowledge-driven company. We continuously update and test our security measures to safeguard the interests of our clients, employees, company, and other stakeholders. The data we manage includes information entrusted to us by clients and third parties, project details, and company information such as intellectual property, employee records and financial data.
We protect our internal systems and data to keep our business processes going. We also respond to client demands for specific solutions for their security requirements. We are closely monitoring the latest developments surrounding the NIS2 Directive and the AI Act. We recognise the importance of these regulations in shaping the future of cybersecurity and artificial intelligence. To ensure compliance now and in the future, we have taken the necessary steps to prepare for these upcoming requirements.

We are also focusing on enhancing our technical controls. In 2024, we started our journey towards passwordless authentication that will be finalised in 2025. This eliminates the need for traditional passwords by using alternative methods such as biometrics, security keys, or one-time codes to verify one’s identity. This will significantly improve security and the user experience. Furthermore, we have implemented conditional access to enhance our security around endpoints in a collaborative world. This approach ensures that authorised users, both our own colleagues and external partners, can only access our applications and data based on specific conditions, such as a user's location in the world, and their device being compliant with the latest security and anti-malware updates.

Our information and privacy protection strategy is centred around our Information Security Management System, based on the international ISO/IEC 27001 standard. We were re-certified for ISO 27001 in 2024, having first obtained it in 2019. In this external audit, we also transitioned to the latest 2022 version of the standard. In 2024, we maintained the UK National Cyber Security Centre’s (NCSC) Cyber Essentials and Cyber Essentials Plus certifications. Cyber Essentials Plus is the highest level of certification offered under this scheme and is required when bidding for contracts which involve handling certain sensitive and personal information.

We only work with ICT vendors and suppliers that have a robust security regime in place. A risk assessment and mitigation programme tests the security of our own and our suppliers’ systems. Supply chain security has an even bigger focus under the NIS2 regulations. To validate our own security posture and compliance, we undertake periodic penetration tests and vulnerability assessments on critical systems.

Despite the automated, real-time response that comes with state-of-the-art technology, an important human factor still exists for maintaining a healthy security posture. This is why we continued investing in awareness and improving our cyber resilience in 2024 to ensure employees know the basics of information security and understand the role every individual plays in protecting sensitive information and company assets. We scaled up our campaigns simulating realistic phishing scenarios to test our employees’ ability to detect and report malicious emails. This is of real relevance to colleagues as, across the organisation, we receive around 1,000 phishing emails every day, not all of which are filtered out by our systems.

In 2024, we enhanced our cyber security efforts by fostering collaboration with other leading companies in our industry. We established a cross-company consulting body dedicated to discussing cyber security developments and challenges in an open and collaborative manner. This initiative aims to share vital information and best practices, enabling us to collectively improve our defences and stay ahead of emerging threats.

Privacy

Royal HaskoningDHV collects and uses personal data for various purposes if the conditions set by applicable data privacy legislation are met. These can include the personal data of clients, vendors, business contacts, employees, and other stakeholders. This is done via various mechanisms such as client relationship management, proposals and projects for our clients, digital applications and services, financial management, human resource management, and information and communication technology. We are dedicated to protecting the privacy of individuals and are committed to complying with privacy legislation such as the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation and Data Protection Act 2018.

We maintain policies, processes, and procedures within a privacy and personal data protection framework. This includes actively verifying the compliance of our processing activities against relevant legislation, and maintaining a compliance register through which we register processing activities, identify, investigate, mitigate and report data breaches, process data subject requests appropriately, and raise awareness. A personal data breach is a security incident where personal data is accidentally or unlawfully destroyed, lost, altered, disclosed without authorisation, or accessed by unauthorised parties. In the Netherlands and the United Kingdom, the Data Protection Officer ensures compliance with data privacy and, in 2024, we further strengthened our commitment to data privacy by incorporating it within our 12 ethical principles (see the Business Ethics section).