What today is a dataset without personal data or with anonymized data, no longer has to be that way tomorrow and it is crucial to know how to protect personal data. Due to the wider availability of open data and new technologies, data can easily be combined with other data. For example, the dataset can change in a matter of seconds into a dataset with data that can be traced back to individuals. The question of whether the General Data Protection Regulation (GDPR) applies to a specific dataset therefore depends less and less on the data itself and more on what someone does with it. Commissioned by the WODC, the Tilburg Institute for Law, Technology and Society investigated how legislation can respond to these unstoppable developments.