Kantyra Kantyra

← Alle artikelen

Algemeen

What does the GDPR ask of your organisation?

Alain Rees · 12-07-2026 · 12 min leestijd

The General Data Protection Regulation (GDPR), known in the Netherlands as the AVG, is the European law that determines how organisations may handle personal data. The GDPR revolves around a set of core principles and around accountability, which means you must not only act carefully but also be able to prove it. This article explains what the GDPR entails, which principles and legal bases apply, which rights people have and how you comply demonstrably without ending up in a sprawl of loose documents.

In short

  • The GDPR applies as soon as you process personal data, in other words as soon as you record or use data about identifiable people.
  • You may only process personal data if you have a valid legal basis for it.
  • People have rights over their data, such as access, rectification and erasure.
  • Accountability means you must make your compliance demonstrable, and for that you start with a processing register.
  • A data breach that poses a risk must be reported to the Dutch Data Protection Authority within 72 hours.
  • Compliance coincides with the four phases of the Kantyra model: detect, assess, resolve and demonstrate.

What is the GDPR?

The GDPR (Regulation (EU) 2016/679) is European legislation that governs the protection of personal data across the entire European Union. Personal data is any information about an identifiable person, from a name or email address to a location or a customer number. Processing is any operation on that data, so collecting, storing, consulting and deleting all count.

The GDPR is more than a bureaucratic formality: it rests on a clear idea. Personal data belongs to the people themselves, and an organisation that uses it does so under conditions and accounts for it. That accountability is the heart of the law.

A regulation, not a directive

Like the AI Act, the GDPR is a regulation, and a regulation applies directly in all member states. There is no separate Dutch privacy law to comply with instead. That is a difference with the NIS2 directive, which first had to be transposed into national legislation, in the Netherlands the Cyber Security Act, the Cbw.

The Netherlands does have a supplementary law, the GDPR Implementation Act (UAVG), but it complements the regulation on a few points and does not replace it. The GDPR remains leading. Supervision rests with the Dutch Data Protection Authority, which can impose fines of up to 20 million euros or 4 per cent of worldwide annual turnover.

Who does the GDPR apply to?

The GDPR distinguishes two roles, and your obligations depend on which role you have.

The controller determines why and how personal data is processed. That is usually your own organisation, for instance when you record customer or personnel data. The controller carries most of the obligations.

The processor processes personal data on behalf of the controller, without determining the purpose itself. A supplier that hosts or processes data on your behalf is a processor. With such a party you record the arrangements in a data processing agreement.

Importantly, the GDPR also applies to organisations outside the European Union as soon as they process data of people who are in the Union. Its reach is therefore broader than European organisations alone.

The core principles of the GDPR

The GDPR has six core principles that apply to every processing activity, plus the overarching accountability principle. These principles are the yardstick a regulator holds your processing against.

  • Lawfulness, fairness and transparency mean that you process data fairly and are open about what you do.
  • Purpose limitation means that you only collect data for predetermined, well-defined purposes.
  • Data minimisation means that you process no more data than necessary for that purpose.
  • Accuracy means that you keep the data correct and up to date.
  • Storage limitation means that you keep data no longer than necessary.
  • Integrity and confidentiality mean that you secure the data appropriately.

Accountability binds all of this together. You must not only comply with the principles, but also be able to show that you do.

When may you process personal data?

You may only process personal data if you have a valid legal basis. The GDPR has six, and you choose one per processing activity:

  • consent of the data subject, which must be free, specific and unambiguous;
  • the performance of a contract with the data subject;
  • compliance with a legal obligation;
  • the protection of a vital interest, for instance someone's life;
  • the performance of a task in the public interest or official authority;
  • a legitimate interest, provided it outweighs the interests of the data subject.

Stricter rules apply to special categories of personal data, such as data about health, religion or political opinion. In principle you may not process those, unless a specific exception applies.

The rights of data subjects

The GDPR gives people a series of rights over their own data. You must be able to honour those rights, usually within a month. The most important are:

  • the right of access to the data you process;
  • the right to rectification of incorrect data;
  • the right to erasure, also known as the right to be forgotten;
  • the right to restriction of processing;
  • the right to data portability;
  • the right to object to a processing activity;
  • the right not to be subject to solely automated decision-making with legal effects.

That last right touches on the AI Act, because automated decisions are increasingly made by AI systems. The two laws interlock on that point.

Your main obligations

Alongside the principles and the legal bases, the GDPR imposes a number of concrete obligations. The main ones are the following:

  • You maintain a processing register: an overview of all processing of personal data.
  • You conclude a data processing agreement with every party that processes data on your behalf.
  • You carry out a data protection impact assessment (DPIA) for processing with a high risk.
  • You apply data protection by design and by default, so privacy is built in from the start.
  • You secure the data with appropriate technical and organisational measures.
  • You appoint a data protection officer when that is mandatory.

Many of these obligations run parallel to what you already do in information security. The GDPR's security requirement, for instance, connects directly to the controls in your information security. That is exactly the anchor point for not treating privacy as a stand-alone exercise.

What do you do in the event of a data breach?

A data breach is a security incident in which personal data is lost or ends up in the wrong hands. Think of a stolen laptop, a misdirected email or a successful attack.

If a data breach poses a risk to the data subjects, you must report it to the Dutch Data Protection Authority within 72 hours. If the risk is high, you must also inform the data subjects themselves. You also record every data breach in an internal overview, whether you report it or not. That overview is at the same time your evidence that you handle data breaches seriously and in a structured way.

In Kantyra, a data breach runs through the incident register: you mark an incident as a data breach, record whether it was reported to the Dutch Data Protection Authority, and use the considerations field to substantiate a decision not to report. The internal data breach overview the GDPR asks for is thereby a filter on the register you already maintain, and data breaches count in the dashboard and in the incident trend of the management report.

From loose obligations to coherent management

Here sits the step many organisations skip. You cannot comply with the GDPR without an overview of your processing activities. The basis of everything is therefore the processing register: a current overview of every processing activity, with its purpose, legal basis, categories of data, retention period and the parties involved.

In Kantyra, that register is the core of the privacy module. For each processing activity you record the purpose, the legal basis (one of the six from the GDPR), the categories of data subjects and data, the recipients and processors, the retention period and the security measures, and you mark whether data is transferred outside the EEA and whether a DPIA is required. That last flag works: a processing activity that requires a DPIA but lacks one turns red in the register until the DPIA is there. Every processing activity has an owner and a review date: as that date approaches, the owner automatically receives a task, so the register remains demonstrably current, which is exactly what article 30 asks.

From that register, the lines run to your other obligations. The DPIA itself is carried out as an assessment, with a fixed template along article 35 (description, necessity and proportionality, risks to data subjects, measures and the advice of the data protection officer), a review round under the four-eyes principle and a PDF export. The data processing agreements are recorded in the supplier register: per supplier you mark whether it processes personal data and whether the data processing agreement has been signed, with monitoring of the contract date and the periodic review. And the GDPR framework sits in the compliance register, alongside ISO 27701 (the privacy extension of ISO 27001), so you maintain the status, the owner and the evidence per requirement.

That administration connects directly to your information security and risk management (ISMS). You manage the security measures the GDPR asks for just like your other controls, in line with ISO 27001. Privacy and security thus form two sides of the same system of control.

Where does the GDPR sit in the Kantyra model?

Like risk management, compliance management and the AI Act, GDPR compliance cannot be captured in a single phase of the Kantyra model: it is the cycle of the model, applied to personal data.

It starts with detect: knowing which data you process, spotting new processing activities and changes, and registering data breaches. Then follows assess: determining the legal basis per processing activity, and carrying out a DPIA where the risk is high. In the resolve phase you take the appropriate measures: security, data processing agreements and data protection by design. And the demonstrate phase has its own name and legal status under the GDPR: accountability. The processing register, the data breach overview and the GDPR framework with evidence together form that account.

GDPR compliance alongside the four phases of the Kantyra model: mapping processing activities belongs to detect, the legal basis and the DPIA to assess, the appropriate measures to resolve, and accountability to demonstrate

That makes the GDPR special within this series: where other frameworks assume demonstrability implicitly, the GDPR has made it a core principle. Whoever follows the model therefore does not need to organise accountability separately: it arises naturally from the cycle.

Do you work with loose documents or with a GRC platform?

You can keep your processing register and the associated overviews in loose files, and as a start that is defensible. But as the number of processing activities grows and the regulator asks for demonstrability, you run into the same limits as in any other compliance effort. Loose files drift apart, and you lack the overview and the history you need.

In a GRC platform, you manage the processing register, the arrangements with processors, the DPIAs and the data breaches as connected overviews within a single environment, and the connection with your information security prevents doing the same work twice.

With Kantyra you manage the GDPR in the same environment as your ISMS. Whether you see privacy as a stand-alone obligation or as part of your broader system of control, your processing activities, your risks and your controls come together in one place, in line with ISO 27001 and ISO 27701. This makes your privacy management just as demonstrable as your information security.

Getting started with the GDPR in five steps

  1. Map your processing activities. Create a processing register of every place where you use personal data.
  2. Determine the legal basis per processing activity. Record why you may process the data and for which purpose.
  3. Arrange the agreements with third parties. Conclude a data processing agreement with every party that processes data on your behalf.
  4. Assess the risks. Carry out a DPIA for high-risk processing and take appropriate security measures.
  5. Manage everything in coherence. Connect your processing register to your risk management and your ISMS, and keep it current.

Frequently asked questions about the GDPR

What is the difference between the AVG and the GDPR? There is none. AVG is the Dutch name, GDPR the English one. It is the same European regulation.

When does the GDPR apply to my organisation? The GDPR applies as soon as you process personal data, in other words as soon as you record or use data about identifiable people. There is no lower size limit: a small organisation falls under it too.

Do I always need consent to process data? No. Consent is one of the six legal bases, but often not the most suitable one. A contract, a legal obligation or a legitimate interest can be just as valid a basis.

What should I do in the event of a data breach? If the breach poses a risk to the data subjects, you report it to the Dutch Data Protection Authority within 72 hours. If the risk is high, you also inform the data subjects themselves. You record every data breach in an internal overview.

Do I have to appoint a data protection officer? Not always. It is mandatory for public bodies and for organisations that monitor people or process special categories of data on a large scale. In other cases it is voluntary.

Getting started with the GDPR in Kantyra

Would you rather not manage GDPR compliance in loose files, but in one environment that connects to your information security? With Kantyra's privacy module you maintain the processing register, carry out DPIAs with a fixed template and review round, record the processor arrangements with your suppliers and handle data breaches in the incident register, with the GDPR framework and the evidence in the compliance register. Request a demo and discover how to build GDPR compliance on top of your existing ISMS.


Kantyra is a Dutch ISMS and GRC platform that lets organisations manage their information security, risk management, privacy and compliance demonstrably, in line with standards such as ISO 27001, ISO 22301 and ISO 27701 and with legislation such as the GDPR, the Dutch Cyber Security Act and the AI Act.

Zien hoe dit in Kantyra werkt?

In een demo van 30 minuten lopen we het model door aan de hand van jouw situatie.

Plan een demo

Meer in de fase Algemeen