-
Financial administration & outsourcing
Entrepreneurs who outsource financial administration reduce the number of administrative tasks and consequently have more time and space to focus on growth.
-
Financial insight
We help you turn financial data into valuable insights that support you in making well-founded decisions. In-depth analyses of your financial situation will help give you a better idea of where you stand and where the opportunities for growth lie, both in the short and long term.
-
Financial compliance
We make sure your company complies with financial legislation and regulations, with correct financial statements, tax reports and other obligations. From our global network, we support you in managing local and international tax risks.
-
Impact House by Grant Thornton
Building sustainability and social impact. That sounds good. But how do you go about it in the complex world of stakeholders, regulations and frameworks and changing demands from clients and society? How do you deal with important issues such as climate change and biodiversity loss?
-
Business risk services
Minimize risk, maximize predictability, and execution Good insights help you look further ahead and adapt faster. Whether you require outsourced or co-procured internal audit services and expertise to address a specific technology, cyber or regulatory challenge, we provide a turnkey and reliable solution.
-
Cyber risk services
What should I be doing first if my data has been kidnapped? Have I taken the right precautions for protecting my data or am I putting too much effort into just one of the risks? And how do I quickly detect intruders on my network? Good questions! We help you to answer these questions.
-
Deal advisory
What will the net proceeds be after the sale? How do I optimise the selling price of my business or the price of one of my business activities?
-
Forensic & integrity services
Do you require a fact finding investigation to help assess irregularities? Is it necessary to ascertain facts for litigation purposes?
-
Valuations
Independent and objective valuations tailored for mergers, acquisitions, and legal matters.
-
Auditing of annual accounts
You are answerable to others, such as shareholders and other stakeholders, with regard to your financial affairs. Financial information must therefore be reliable. What is more, you want to know how far you are progressing towards achieving your goals and what risks may apply.
-
IFRS services
Financial reporting in accordance with IFRS is a complex matter. Nowadays, an increasing number of international companies are becoming aware of the rules. But how do you apply them in practice?
-
ISAE & SOC Reporting
Our ISAE & SOC Reporting services provide independent and objective reports on the design, implementation and operational effectiveness of controls at service organizations.
-
National tax advice
Looking for tax advice in the Netherlands? We help business owners with tailor-made tax advice: from structure and compliance to innovation and sustainability.
-
International tax advice
Plan to do business abroad? Our international tax advice helps you with structure and compliance, as well as offering new opportunities. Strategic, practical, and future-oriented.
-
Private wealth services
Our Private Wealth specialists offer strategic and practical solutions. From tax advice to estate planning and financial scenarios, we make sure you make the right choices today, for tomorrow.
-
Corporate Law
From the general terms and conditions to the legal strategy, these matters need to be watertight. This provides assurance, and therefore peace of mind and room for growth. We will be pro-active and pragmatic in thinking along with you. We always like to look ahead and go the extra mile.
-
Employment Law
What obligations do you have with an employee on sick leave? How do you go about a reorganisation? As an entrepreneur, you want clear answers and practical solutions to your employment law questions. At Grant Thornton, we are there for you with clear advice, from contracts and terms of employment to complex matters such as dismissal or reorganisation.
-
Sustainable legal
At Grant Thornton, we help companies integrate sustainability into their business operations, with sustainable legal at the heart of our approach. We advise on ESG (Environmental, Social, Governance) legislation, and help draft sustainable contracts, implement HR policies, and carry out ESG due diligence in M&A transactions (Mergers and Acquisitions).
-
HR Services
HR is not an aspect of secondary relevance, rather a strategic factor for success. Yet many organisations struggle with issues regarding personnel policy, absenteeism, terms of employment and legislation and regulations.
-
Payroll & wage tax
Payment of salaries is not a simple calculation. Laws and regulations constantly change, and mistakes can quickly cause employees to be dissatisfied or lead to tax risks.
-
Compensation and benefits
The labour market is changing rapidly. Employees want flexibility, a sense of purpose and a good mixture of financial and non-financial benefits.
-
Pension advisory services
Pension is more than an obligation. It is a strategic term of employment that touches upon your employer brand, financial scope and responsibility to provide for your employees.
-
Global mobility services
How can you build and evolve a smart global mobility strategy, with policies and processes addressing the complex challenges of managing an international workforce?

Anticipating the intersections between GDPR and the AI Act will allow companies to turn regulation into resilience and to be better prepared for the evolving regulations surrounding AI.
Overview
While the GDPR Act only applies to personal data, the AI Act cover the development, provision and use of AI systems, and therefore applies even if non-personal data is processed using AI. For more information, you can refer to our latest article on AI Readiness.
Contrary to the GDPR Act, focusing on personal data processing and applying to controllers and processors inside or targeting the EU, the AI Act is broader in scope by regulating any AI system used or impacting individuals in the EU (even if no personal data is processed). Therefore, AI systems that do not process personal data, or that process personal data of non-EU persons, will still fall under the scope of the AI Act, but not GDPR. However, for financial institutions, data-driven systems often handle personal data, and both regulations usually apply together.
The AI Act outlines eight typologies of high-risk AI systems, with 7 of these 8 involving a high degree of (sensitive) personal data processing. This means that in almost 90% of cases involving a high-risk AI system, compliance with GDPR is also likely necessary. Therefore, a coordinated approach to managing high-risk systems is crucial to ensure obligations are met for both the AI Act and GDPR.
Organisations will need to map the two acts, especially since they have some overlap, especially regarding data retention and forgotten rights (1), biases and discrimination (2), and risk assessment (3).
Overlaps
1. Data retention and right to be forgotten
Many AI solutions store data for extended periods, eventually using it as part of their machine learning. Long-stored data increases the risk of unauthorised access (including the risk of cyberattacks), or misuse. It also challenged the “right to be forgotten”, or right of erasure, of customers under the GDPR. Organisations should be particularly aware of the following:
- Clear communication with users when their data is used for AI training and/or prediction. In that regard, individuals’ right to restriction of processing (Article 18 GDPR) and right to object of the individual (Article 21 GDPR).
- Clear deletion/erasure of data (Article 17 GDPR) should always be guaranteed in those cases. Furthermore, the controller should have an explicit obligation to inform the data subject of the applicable periods for objection, restriction, deletion of data, etc.
2. Biases and discrimination
AI technologies are becoming more and more advanced and can put together data to uncover highly sensitive user information such as political views, sexual orientation, or health status. These hidden connections create risks that often go unnoticed, even for anonymised or pseudonymized data that the AI can still re-identify.
If the data provider is not aware of it, this can both go against the right to rectification (Article 16 GDPR), allowing users to rectify inaccurate or incomplete personal data, but also against the all GDPR Act regarding sensitive personal data (revealing racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership), which is strictly prohibited (Article 9 GDPR).
A thorough risk assessment, including DPIAs to include AI-specific risk, can prevent these risks, as discussed in the next section.
3. Risk assessment: DPIAs and conformity assessments
Data protection impact assessments (DPIAs) are required under the GDPR (Article 35). This especially includes data processing likely to pose a high risk to the rights and freedoms of individuals, especially concerning sensitive personal data. The AI Act possesses a similar concept: the Conformity Assessments (Article 43 of the AI Act). The latter focuses on high-risk AI systems (as, for example, AI-driven recruitment tools or the use of AI to profile and automate access to financial products and services), evaluating risks to fundamental human rights, including privacy and non-discrimination.
It is also important to consider that parts related to compliance with data quality of cybersecurity eventually become used to inform the customer, which means that the data needs to be included in the DPIAs. Additionally, AI platforms can involve collaboration between multiple parties or use third-party tools and services. This increases the risk of unauthorised access and/or misuse of data. Organisations must pay particular attention to sensitive and personal data that is transferred outside of the EU or to jurisdictions with different privacy regulations.
The first steps for organisations can be integrating DPIAs into Conformity Assessments to address overlapping requirements, establishing periodic reviews, and dialogue between the data protection officer, compliance teams, and AI development teams.
AI audit
Even if AI audits are not a requirement under the AI Act, they can add value to understanding if compliance goals are met. An external perspective on your risk measures can give you potential improvements and assurance on your DPIAs. Additionally, outsourcing audit teams mean you don’t need a full-time AI audit unit. Instead, bring in experts when needed. For more information, contact our internal audit team.