Three years of the GDPR: what hurdles still remain? (N-sight)

Location:virtual meeting


It’s been more than three years since the GDPR came into force, and companies continue to put a lot of effort into ensuring they respect the law and the privacy of clients and employees alike. At times, the challenges have turned these ‘efforts’ into real ‘struggles’. This is especially true when dealing with complex environments, cloud data, etc. But sometimes, it is due to more basic parts of the GDPR, such as how long to retain personal data.


Let's zoom in once again on the GDPR, highlighting a few of the challenges that remain and exchanging best practices on how to tackle them. We’ll start with a real-life user story from the world of personalised education, then zoom in on a practical case about how to cope with personal data, in the face of Schrems II. We’ll give you an update of Beltug’s conversations with the DPA and our DPO benchmark survey, and then wrap up with the question of data retention periods.


Don't forget to pass this invite on to your colleague from legal or HR; they are welcome to join.







This event will be held as an interactive virtual meeting. The link will be provided in the Confirmation email.








10:00 Welcome and introduction


Ann Guinée, Communication Manager, Beltug (English)


10:10 User story imec: Privacy in personalised education


imec and KU Leuven, on behalf of the Flemish government, have developed the i-Learn MyWay online portal, which offers a new step in personalised education. During this presentation, we will take a closer look at the challenges of personalisation and scientific research in education, and hear about a practical approach based on imec's experiences during the development of the portal.


Klaas Ghesquiere, Privacy Manager, imec (Dutch)


10:40 Are privacy and data protection requirements killing cloud and data projects? Zooming in on imec's user story.


The complexity of cloud and data projects has increased significantly, due to the many privacy/data protection challenges, and especially the July 2020 Schrems II decision.


This session will take on a few recurring questions from business, data and IT professionals:

  • Which data is still allowed in the cloud and what measures can you take to protect it?
  • How do we get business analysts, data engineers and architects, project managers and business stakeholders to work together on the topic of privacy/data protection?
  • How do you avoid ending up with a high-risk data protection impact assessment that could potentially delay or even halt your project?

Christoph Balduck, Managing Partner, Data Trust Associates (English)


11:10 Beltug met with the DPA – feedback from our conversation


On 21 September, Beltug and a delegation of Beltug members met with the Belgian Data Protection Authority (DPA), to testify about the experiences and expectations of organisations and DPOs regarding this entity. We'll give you some brief feedback on the conversation and our next steps.


Danielle Jacobs, CEO, Beltug (English)


11:20 DPO benchmark survey: Main findings and takeaways


This summer, we sent a detailed survey to the members of the Beltug Privacy Council regarding some key aspects of their DPO roles. The very down-to-earth questions related both to their strategic and daily operational reality in their respective companies. We will share some of the most interesting findings and takeaways from this survey.


Erik Luysterborg, Cyber Partner and EMEA Data Privacy Leader, Deloitte (English)


11:30 Personal data retention periods


How long do you have to keep personal data such as e-mails, personnel files or personal data from job applicants? This session will share a few best practices from Belgian companies, advice from the federations, the formal guidance from the EDPB/WP29 and some examples from other member states with statutory defined retention periods. The goal is to give you a starting point for defining your own retention periods for processing activities/personal data. Keep in mind that the best practices discussed need to be looked at as examples providing guidance, not roadmaps for you to follow.


Jean-Pierre Bernaerts, External DPO at several organisations (English)


11:40 Q&A: Your questions, your experience


12:00 Wrap up & end


We will keep the session open after the end to enable those who wish to continue the discussions.