Cyber security and personal data protection

Our vision is to protect our clients' and our company’s information from security threats and to comply with data privacy regulations. To protect information, we have implemented an Information Security Management System (ISMS) conforming with ISO2700. Certification for ISO27001 was awarded in December 2019.

We take the issue of protecting our data and privacy very seriously because we work and provide digital cloud services in a world of open communication via the Internet, mobile working and mobile devices. We are constantly searching for weaknesses which could potentially provide unwanted access to our systems and data. We evaluate countermeasures to reduce risk and continuously improve our security measures to keep up with data privacy regulations and to increase protection against cyber threats. Our Technology Platform is constantly monitored for security threats and is kept up to date.

Information security is increasingly included within clients’ requirements and we continue to be able to meet their needs by selecting the optimal mix of solutions. Therefore, the ISMS also supports our objective to ensure competitive advantage by providing secure digital services to our users and customers. Our digital business transformation is driving profound changes in our Technology Platform with its focus on extending access for clients to our digital services, online engineering work and online data science insights. Our awareness of the cyber security risks means we have been able to respond adequately to any request or risk and we are confident we will continue to do so.

Personal data protection

We operate within a privacy and personal data policy and information security strategy approved by executive management and reviewed by the Privacy Protection Steering Group and Operational Excellence Committee. The policy and strategy unify and drive proactive action across businesses to protect Royal HaskoningDHV from data breach and maintain trust from our stakeholders.

Our Privacy and Personal Data Protection Policy and Information Security policy, the Key Controls, provides a strong foundation for protecting our information assets and confidential client information. The Key Controls also support ongoing compliance with external reviews and regulatory requirements, such as GDPR and ISO standards. The policy and approach are supported by effective and robust governance processes, risk management activity across three lines of defence (eg regular key risk indicator reporting, compliance testing and internal audits of information security policies and systems) as well as periodic and comprehensive risk reports to management- and Board-level committees responsible for these areas. In addition, we regularly conduct internal and external assessments to evaluate current performance and risk reduction measures against industry standards. These assessments have consistently confirmed Royal HaskoningDHV’s personal data protection and security posture as stable and mature, while helping us identify key risks and opportunities for improvement.

Internal awareness campaigns

Our awareness campaign regularly updates our employees on security relating to our systems as well as the new GDPR legislation that came into effect in May 2018. Information on how to keep systems secure, (eg phishing emails, not sharing details with others) and being aware of data security (eg keeping ID-documents safe, sharing of Box links) and the consequences of failing to act on data security was shared.