GDPR — The Essentials
The General Data Protection Regulation (GDPR) is enforceable throughout the EU and applies to every organisation that processes personal data of EU residents. The Dutch Data Protection Authority (AP) actively enforces the regulation and can impose fines up to €20 million or 4% of global annual turnover.
GDPR compliance is not a one-time project but an ongoing process. It requires governance, documentation, awareness and technical measures — embedded in your organisational processes.
Core Obligations
- Processing Register: Documentation of all personal data processing activities — purpose, legal basis, retention periods and parties involved
- Lawful basis: Every processing activity must have a valid legal basis (consent, contract, legal obligation, vital interest, public task or legitimate interest)
- DPIA: Data Protection Impact Assessment required for high-risk processing activities
- Data breach procedure: Notification to the Authority within 72 hours; notification to affected individuals if high risk
- Processor agreements: Contractual safeguards for every external processor
- Data subject rights: Processes for access, rectification, erasure and data portability
Our Approach
- Privacy audit: Inventory of all personal data processing activities and assessment of current compliance status
- Documentation: Creating or improving Processing Register, privacy policy, data breach procedure and processor agreements
- DPIAs: Conducting Data Protection Impact Assessments for high-risk processing activities
- Awareness: Training your employees on GDPR requirements and data breach recognition
- Integration: Embedding privacy safeguards in your processes and systems (Privacy by Design & Default)
A certified ISO 27001 Information Security Management System covers a large portion of the technical and organisational GDPR security requirements. ISO 27701 adds the privacy-specific layer. We ensure that information security and privacy management function as a single integrated system.
