GDPR/AVG Privacy Compliance
Share Less, Less Hassle
Boardroom calm does not come from optimism, but from clear accountability and demonstrable follow-through.
In GDPR/AVG Privacy Compliance the gain lies in routine: verifying via a second channel and not acting under digital pressure.
This way the subject stops being a recurring discussion and becomes a manageable part of regular business operations.
Immediate measures (15 minutes)
Why this matters
The core of GDPR/AVG Privacy Compliance is risk reduction in practice. Technical context supports the choice of measures, but implementation and embedding are central.
Why privacy is a board matter
The General Data Protection Regulation (GDPR) – known in Dutch as the AVG – has been in force since 25 May 2018. Yet many board members still treat the GDPR as a legal-administrative obligation that you outsource to a privacy officer and then forget.
That is a costly mistake. The Dutch Data Protection Authority (AP) is imposing increasingly higher fines, and the trend is clear: regulators are becoming stricter, not more lenient.
Key message: The GDPR is not a paper tiger. It is a law with fines of up to 20 million euros or 4% of your global annual turnover. And those fines are actually being handed out – in the Netherlands too.
The basics: what you need to know
What is personal data?
Personal data is all data that directly or indirectly identifies a natural person. This goes much further than name and address.
| Type | Examples |
|---|---|
| Directly identifying | Name, national ID number, passport number, photo |
| Indirectly identifying | IP address, cookie ID, employee number, vehicle registration |
| Special categories | Health, political preferences, religion, biometrics, criminal data |
| Sensitive in practice | Location data, browsing history, financial data |
The rule of thumb: if you are unsure whether something is personal data, assume that it is. The definition is deliberately broadly formulated.
The six lawful bases for processing
You may only process personal data if you have a valid lawful basis. The GDPR recognises six:
| Lawful basis | When applicable | Example |
|---|---|---|
| Consent | The data subject gives free, specific, informed consent | Newsletter subscription |
| Contract | Necessary for performance of a contract | Payroll administration, delivery of an order |
| Legal obligation | The law requires the processing | Tax return, retention obligation |
| Vital interests | Protection of someone's life | Medical emergency |
| Public interest | Performance of a task in the public interest | Government registrations |
| Legitimate interests | Your interest outweighs the privacy of the data subject | Fraud prevention, network security |
Note: "consent" is in practice the weakest lawful basis. Consent must be freely given – an employee who "gives" their employer consent rarely does so genuinely freely. And consent can always be withdrawn. Choose a different basis where possible.
Your obligations as an organisation
Data Protection Officer (DPO)
You are required to appoint a Data Protection Officer if you are a public authority, process special categories of personal data on a large scale, or systematically monitor individuals (tracking, profiling). The DPO must operate independently and report directly to senior management.
Record of processing activities
Virtually every organisation is required to maintain a record of all processing of personal data. The record contains for each processing activity:
| Element | Description |
|---|---|
| Purpose | Why do you process this data? |
| Categories of data | What personal data do you process? |
| Categories of data subjects | Whose data do you process? |
| Recipients | With whom do you share the data? |
| Transfer | Does data go outside the EU? |
| Retention period | How long do you retain the data? |
| Security measures | How do you protect the data? |
Data Protection Impact Assessment (DPIA)
A DPIA is mandatory when a processing operation is likely to result in a high risk to data subjects – think large-scale profiling, processing of special categories of personal data, monitoring of public spaces or the use of new technologies (AI, biometrics, IoT). The AP has published a list of processing operations for which a DPIA is mandatory. Check this list.
Data breaches: the 72-hour constraint
A data breach is any breach that leads to destruction, loss, alteration or unauthorised access to personal data. That is broader than you might think: ransomware that encrypts files, an email sent to the wrong recipient, a lost USB stick, an employee accessing a file without a legitimate business reason – these are all data breaches.
The reporting regime
| When | To whom | Timeline |
|---|---|---|
| For every breach | Register internally | Immediately |
| If there is a risk to data subjects | Data Protection Authority | Within 72 hours of discovery |
| If there is a high risk to data subjects | Also the data subjects themselves | Without undue delay |
Practical tip: That 72 hours starts running at the moment you discover the breach – not at the moment you confirm it. Do not wait until you have investigated everything. Report on time and supplement later. Reporting too late is itself a violation.
International transfer of data
Within the EEA, personal data can be exchanged freely. But as soon as data goes to a country outside the EEA, strict rules apply.
| Mechanism | Explanation |
|---|---|
| Adequacy decision | The European Commission considers that the country provides adequate protection (e.g. Japan, South Korea, UK) |
| EU-US Data Privacy Framework | Specific framework for transfers to certified US companies |
| Standard Contractual Clauses (SCCs) | Model contracts from the European Commission |
| Binding Corporate Rules (BCRs) | Internal codes of conduct for multinationals |
Transfer to the US remains legally complex. The EU-US Data Privacy Framework provides a basis, but is not uncontested. Ensure your US suppliers are certified under the framework.
Fines: the reality
The GDPR has two fine categories:
| Category | Maximum | Violations |
|---|---|---|
| Lower | EUR 10 million or 2% of global annual turnover | Breach of processing, security or reporting obligations |
| Higher | EUR 20 million or 4% of global annual turnover | Breach of processing principles, data subject rights, transfers |
Fines in practice
| Organisation | Fine | Reason |
|---|---|---|
| Meta (Ireland, 2023) | EUR 1.2 billion | Unlawful transfer of personal data to the US |
| Amazon (Luxembourg, 2021) | EUR 746 million | Unlawful processing for advertising purposes |
| KNLTB (Netherlands, 2020) | EUR 525,000 | Sale of member data to sponsors without consent |
| HagaZiekenhuis (Netherlands, 2019) | EUR 460,000 | Inadequate security of medical records (internal access control) |
| Booking.com (Netherlands, 2021) | EUR 475,000 | Late reporting of a data breach (22 days late) |
| DPG Media (Netherlands, 2022) | EUR 525,000 | Placing cookies without valid consent |
| National Police (Netherlands, 2024) | Reprimand | Deficiencies in information security |
The pattern: the AP is increasingly focusing on deficiencies in security and late reporting. The absence of technical measures – such as proper access control, logging and encryption – is seen as a violation of Article 32 GDPR.
Security and privacy: two sides of the same coin
Article 32 GDPR requires organisations to take appropriate technical and organisational measures – almost the same wording as NIS2. The two laws complement each other.
| Security measure | Privacy effect |
|---|---|
| Encryption | Protects in case of theft or loss of equipment |
| Access control (RBAC) | Prevents unauthorised access |
| Logging and monitoring | Makes data breaches detectable and demonstrable |
| Pseudonymisation | Reduces risk in case of leakage |
| Backups | Protects availability of data |
| Awareness training | Reduces human errors |
| Penetration tests | Finds vulnerabilities before attackers do |
Without good security there is no privacy. The AP assesses not only whether you have a policy, but also whether your measures work in practice. Logging and monitoring in particular are crucial: they make data breaches detectable and demonstrable. The technical setup for this is covered in detail in Logging, Monitoring & SIEM.
Rights of data subjects
Data subjects have extensive rights that you must be able to honour:
| Right | What it entails | Response deadline |
|---|---|---|
| Access | Copy of all personal data you process | 1 month |
| Rectification | Correct inaccurate data | 1 month |
| Erasure | Delete data when no longer needed | 1 month |
| Restriction | Temporarily halt processing | 1 month |
| Data portability | Transfer data in machine-readable format | 1 month |
| Object | Object to processing based on legitimate interests | Without undue delay |
Do this this month
| Step | Action | Priority |
|---|---|---|
| 1 | Determine whether you need a DPO and appoint one | High |
| 2 | Map all processing of personal data (record) | High |
| 3 | Determine the lawful basis for each processing activity | High |
| 4 | Assess whether a DPIA is needed for high-risk processing activities | High |
| 5 | Establish a data breach procedure with clear roles and timelines | High |
| 6 | Check international transfers and implement appropriate safeguards | High |
| 7 | Implement technical security measures (encryption, access control, logging) | High |
| 8 | Set up a process for handling data subject rights requests | Medium |
| 9 | Review data processing agreements with suppliers | Medium |
| 10 | Organise awareness training for all employees | Medium |
| 11 | Schedule regular audits and penetration tests on systems that process personal data | Ongoing |
| 12 | Keep the record and your DPIAs up to date when changes occur | Ongoing |
| 13 | Ensure your privacy policy is understandable and easy to find | Medium |
| 14 | Test your data breach procedure at least annually with an exercise | Ongoing |
The relationship with NIS2
The GDPR and NIS2 are complementary:
- NIS2 requires you to secure your systems
- The GDPR requires you to protect the personal data in those systems
A data breach is often simultaneously a NIS2 incident and a GDPR incident, with separate reporting obligations to different regulators. Ensure your incident response process covers both reporting streams.
Remember: good security is the foundation of privacy compliance. Invest in technical measures and you achieve two goals at once: compliance with both the GDPR and NIS2, and protecting the trust of your clients, employees and partners.
The GDPR makes it clear that privacy compliance is not a one-off project, but an ongoing board responsibility. That responsibility has consequences – personal consequences. In the next chapter on director liability you will read what is legally at stake when you fall short in your duty of care as a board member, and how you can protect yourself against that.
Further reading in the knowledge base
These articles in the portal provide more background and practical context:
- Compliance — following rules without losing your mind
- Incident Response — when things go wrong
- Supply chain attacks — the weakest link problem
- "Are we a target?"
- Ransomware — digital hostage-taking for beginners and experts
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
