The General Data Protection Regulation (GDPR) has since 2018 been the foundation under every processing of personal data. In 2026 it no longer stands alone: the Dutch Cybersecurity Act, NIS2 and the AI Act all interlock with it. But for most employees the GDPR remains the compass that says: what may I do with personal data, what not, and what do I do when something goes wrong? A workable explanation, free of legal jargon.
What is personal data, and why is the term sensitive?
Personal data is any information that identifies a person directly or indirectly. Name and email of course, but also phone number, IP address, citizen number, a photograph, a combination of date of birth and postcode, and sometimes even an IPv6 address or a browser fingerprint. The definition is deliberately wide.
Within it the GDPR distinguishes special categories: health data, race or ethnic origin, political opinions, religion, trade union membership, sexual orientation, biometric data and genetic data. These require stricter protection and may only be processed in specific exceptional cases.
For your work this means: treat any list, email or database with names-plus-more as personal data, and treat health, identity numbers and biometrics as especially sensitive. In practice people rarely err on definitions but on consequences: they know something is personal data and still handle it casually, especially under workload.
The six principles the GDPR asks of you
Article 5 GDPR sets six principles. You do not need to recite them, but seeing them reflected in your behaviour helps a lot:
- Lawfulness, fairness and transparency. Process personal data only on a lawful basis (consent, contract, legal obligation, etc.) and be transparent about it.
- Purpose limitation. Data collected for purpose A may not just be used for purpose B. A customer list for invoicing is not a marketing list.
- Data minimisation. Collect only what you really need. Ten fields in a form when only three are used is not a GDPR-compliant form.
- Accuracy. Data must be correct and current. A wrong email may be corrected on request; sometimes it must be.
- Storage limitation. Keep data no longer than necessary. Destroying a rejected candidate's application after four weeks is usually the norm; agreed retention periods help.
- Integrity and confidentiality. Provide appropriate security against loss, unauthorised access and alteration. GDPR and cybersecurity meet directly here.
Data subject rights, and what you must do
People whose data you process have rights you must be able to honour. The main ones:
Right of access: a data subject may request which data you hold about them. You are generally required to respond within one month, extendable to three for complex requests.
Right to rectification and erasure ('to be forgotten'): incorrect data must be corrected and, in many cases, erased on request. Exceptions exist, notably for statutory retention duties.
Right to restriction and objection: a data subject can ask to pause processing or object to certain processing (e.g. marketing).
For employees this means: if you receive a GDPR request (mail, letter or phone), forward it straight to the privacy officer or central reporting point. Do not reply yourself with a refusal or promise; the clock runs from the moment of receipt.
Data breach: what it is and what you do
A data breach is a breach of security leading to loss of personal data, unauthorised access or alteration. Examples: a lost laptop, a mail to the wrong recipient, a hacked system, an accidentally public-shared folder of customer data.
The reporting duty is strict. A breach with risk to individuals must be reported within 72 hours to the supervisory authority (GDPR article 33). On high risk the data subjects must also be informed (article 34). The clock starts when the organisation becomes aware of the breach, so as soon as you report.
In practice: report a suspected breach immediately internally to IT, the privacy officer or the security team. Do not judge yourself whether it "really" is a breach; that is a formal assessment by the privacy officer. Better ten false reports than one missed real one. Then cooperate with investigation, follow-up and any customer communication.
GDPR, AI Act and NIS2: how they connect
GDPR almost always touches other frameworks. Three daily combinations in 2026:
GDPR and AI Act. When an AI system processes personal data both apply. GDPR for lawful basis, transparency and data subject rights; AI Act for risk classification, system transparency and, since 2 February 2025, AI literacy of your staff. AI use policy must reflect both.
GDPR and NIS2/Cbw. A data breach is often also a reportable cybersecurity incident. Under Cbw a 24/72-hour duty for significant incidents; under GDPR the 72-hour duty for personal data. A good response process triggers both at once where required.
GDPR and DORA. For financial institutions both apply. An ICT incident touching personal data triggers both reports, sometimes to the same supervisor (DNB) but via different routes.
How to anchor this in an awareness programme
GDPR awareness belongs in every base programme. Practical build: a six- to eight-minute module on the six principles and the reporting route, a deep-dive for roles working with personal data daily (HR, marketing, customer service, healthcare), and annual refreshers with current examples.
Combine with practical visibility: a short "what do I do at a suspected breach?" guide in the mail client, a role-based onboarding component, and annual board reporting on the number and nature of data breaches. The latter is relevant to supervisors and helps prioritisation.
Under the Cbw documentation is crucial. A good platform records who completed which GDPR module when and delivers audit reports on demand. A static list on a shared folder is rarely enough at audit; demonstrability requires administration easy to retrieve on inspection.
See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.
View the NIS2 pageRelated articles
- Accidental data sharing: how to prevent it
- Connecting breach reporting and awareness
- Compliance requirements for awareness training
- Device security basics
Sources
- GDPR (EUR-Lex, official text)
- Dutch Data Protection Authority (AP)
- European Data Protection Board (EDPB)
FAQ
What exactly is personal data?
Any information identifying a person directly or indirectly: name, email, phone, IP, photo, citizen number, sometimes even a combination of birth date and postcode. Special categories (health, biometrics, religion) require extra protection.
When is something a data breach?
A security breach with loss, unauthorised access or alteration of personal data. Examples: lost laptop, mail to wrong recipient, hacked system, accidentally public folder with customer data.
Within how much time must a breach be reported?
72 hours to the supervisory authority where there is risk to individuals. On high risk the data subjects must also be informed. The clock starts when the organisation becomes aware of the breach.
What do I do with a GDPR request?
Forward immediately to the privacy officer or central reporting point. Do not respond yourself with refusals or promises; deadlines run from receipt and handling needs a legal assessment.
May I use a free online translator for a customer-data document?
Preferably not, unless approved by your organisation. Many free services retain inputs for further training, which is a transfer to a third party without a processor agreement. A GDPR concern.
What is purpose limitation?
The principle that data collected for purpose A may not just be used for purpose B. A customer list for invoicing is not a marketing list.
How does GDPR relate to the AI Act?
When an AI system processes personal data both apply. GDPR for basis and rights, AI Act for risk classification, transparency and (since February 2025) AI literacy of staff.
External source: European Commission - NIS2 Directive