SAP data security in the Netherlands: lessons from a changing landscape

When organisations in the Netherlands think about data security, most picture the classic external threat: a cyber-attack, ransomware or hackers trying to break in. Those threats are real, but in the world of SAP, the greater risks often sit much closer to home.

Test systems that quietly contain real employee data. Authorisations that have not been reviewed in years. Interfaces that still pass sensitive information between platforms, even though no one is entirely sure who uses them.

Individually, these problems may not make headlines. Together, however, they create a fragile foundation. When AVG (the Dutch implementation of the EU’s General Data Protection Regulation, or GDPR) rules demand answers, many companies quickly realise how difficult it is to explain where their data lives, who can access it, and how it is being protected.

SAP security under close watch in the Netherlands

The Autoriteit Persoonsgegevens continues to keep a close focus on GDPR/AVG compliance. As a result, Dutch organisations face growing expectations around transparency and accountability. For SAP teams, this translates into challenging but essential questions:

• Where is PII (Personally Identifiable Information) stored within SAP landscapes?
• How do you ensure sensitive data does not leak into non-production systems?
• How do you give employees the access they need without granting them more than they should?
• How do you continue proving compliance as landscapes become more complex?

Recent enforcement and what it tells us

The Autoriteit Persoonsgegevens has made it increasingly clear that data protection obligations are to be taken seriously. Fines are not only large; they’re precise about where organisations failed. These cases highlight risks that are very relevant for those managing SAP landscapes.

• Netflix was fined €4.75 million for failing to properly inform customers about how their personal data was processed, including unclear retention rules, international transfers, and access rights.
• Bureau Krediet Registratie (BKR) received an €830,000 fine for restricting individuals’ access to their personal data, in violation of their rights under the GDPR/AVG.

These fines are not just about big tech or government agencies. They underline a broader point: regulators expect every organisation to know exactly where personal data sits, how it is being used and who has access.

Beyond compliance: why it matters

It would be tempting to treat SAP data security as a checklist exercise. Yet the organisations making the most progress see it differently. They view it as a way to build trust with regulators, with auditors, and with their own employees.

When security controls are clear and access is well managed, audits run more smoothly, risks are reduced, and people work with greater confidence. In an SAP environment that is increasingly interconnected, that confidence becomes a genuine competitive advantage.

Continue the conversation at VNSG

This October, at VNSG Themadag Security 2025, we will be joining the discussion with our client Heineken. Together we will share how Heineken protects both production and non-production data while meeting GDPR, AVG and internal policy requirements.

If you are attending, we would be delighted for you to join the session or visit our booth to continue the conversation.