GDPR and your path towards compliance: 24 January 2017


Data inventory tool (available now)
Template (Excel) Register of Processing Activity
Data inventory first, compliance next! The road towards the GDPR starts with an inventory of the personal data you process.  Indeed, data inventorying is an essential step in your preparation: your organisation needs an inventory of all the types of information it processes, how that data will be protected, where the sensitive data sits. This tool helps you getting started building your register, as required by Article 30 of the GDPR.


Session takeaways
'GDPR (General Data Protection Regulation) is buzzing through every company…': we said it in our invitation to this N-sight, and with over 130 people in the room on 24 January 2017, we proved our point! You can see the presentations from the event here (after login, Beltug members only), as well as the Excel template created by Cranium to help you keep track of the processing activities required by the GDPR.

Beltug presentation: 'Beltug initiatives on GDPR'

Cranium Applied Privacy presentation: 'Data inventory first, compliance next'

Template (Excel) Register of Processing Activity

National Bank of Belgium presentation: 'And what if the cyber-criminals succeed?'

Allen & Overy presentation: 'The GDPR: where are we and what's to come?'

We started off hearing from Bavo Van den Heuvel of Cranium Applied Privacy, who explained that the road to compliance begins with an inventory of the personal data your organisation processes. Be prepared, he stressed, and don't underestimate the process of that inventory.

When going over the GDPR, don't fall into the trap of 'reading what you want to read'! Even if you are a company with fewer than 250 employees, you are not exempt from creating a register, especially in these cases:

  • Likely to result in a risk to the rights and freedoms of the data subjects
  • OR the processing is not occasional
  • OR processing of sensitive data (art 9 (1) and 10).

This inventory must be created per processing activity, not per company.  So, HR is one processing activity, finance is another, etc. (See slide 5 for what is needed on record in an inventory.)

Specially for Beltug members, Cranium has built a tool to help you create your inventory (the 'Template (Excel) Register of Processing Activity' above).  Make sure to complete it per type of data processed. (See slides 7-14 of Bavo's presentation for details on using the template.)

Even with tools and checklists, though, respecting the various retention periods for specific data will remain an important challenge for IT departments (see slide 13), Bavo concluded.

Next up was Danny Vande Putte, Operational Risk and Business Continuity Manager at National Bank of Belgium, who took us into the world of cybercrime. Cyber criminals are often already inside your network, without anyone knowing.  Yet this situation doesn’t seem to bother or trouble anyone. Should we consider this situation a crisis, or does it only become a crisis when an actual data theft or hack occurs?  Is the problem really that serious? How much consideration do we have to give to cyber criminality? 

After that reflection, Danny shared his concerns regarding the GDPR, and especially the sometimes vague definitions it uses: e.g. what is an 'adequate level of protection'? It’s difficult to judge…

The fact remains, he highlights, that companies are targets, and for all kinds of purposes.

So, what are the characteristics of a cyber-attack?

  • Hackers (the threat) that don’t have to be in the same physical space as the target
  • The IT complexity
  • The possible impact of 'CIA' (Confidentiality, Integrity, Availability)

While many aspects are similar to the crisis management we knew before cyber threats and GDPR (see slide 14), there are crisis management issues that very specific (see slide 15), such as crisis communication. For example, don't try to explain that you're not responsible: that is like a red flag to a bull for hackers! Another important aspect is traceability, which is key in building your legal defence.

Finally, don't stick with your traditional business continuity plans, Danny Vande Putte concluded, as they will most probably be compromised.  Build new and innovative ones. In any case, a close and intense collaboration between the business and IT is more critical than ever.  Both must be aware of each other's limitations and possibilities.

While GDPR is quite complex, it sometimes has the 'sweet smell of compromise' - maybe even on purpose, began Peter Van Dyck, Senior Associate at Allen & Overy, our next expert. He gave us a timeline for the regulation, with efforts from the regulators (the Belgian Privacy Commission, the Working Party 29, etc.) to make things more clear and obvious (see slide 3).

Take a look at what's new after these clarifications:

  • Broader rules on appointing a DPO:  You now need to appoint a DPO as soon as working with people's personal data becomes indispensable to your activities. 
  • Right to be forgotten: This is not an absolute right: for certain kinds of data (criminal records, for example), this right is not legally valid.  Beltug and its members suggested to the Privacy Commission a pragmatic interpretation of the right (and how to execute it), which will probably be accepted.
  • Privacy by default: For internet browsers, etc., you have different levels of privacy protection. Now, the highest level must be the default.  As a company, you need to think thoroughly about what kinds of privacy you want to offer.
  • Privacy by design: you must involve your privacy officer/security officer in the development of a product/service right from the start, so they can work with the business, and towards the least impact on privacy.
  • One stop shop: this is important because the regulators in various countries put a different emphasis or different notes in the regulation.  That means the question of where you have your lead authority is an important one.  Keep in mind, however: your lead authority is not necessarily in the country where your head office is located!

So, what to do between now and May 2018? Map your data, start your gap analysis, turn to the Commission's recommendations and begin implementing.

To close the session, Danielle Jacobs of Beltug called our members to action: don't reinvent the wheel! Come to us with your questions and take full advantage of the tools and documents we make available for your roadmap to GDPR compliance. You can get a complete overview on the Beltug initiatives and consultations with regulators and government in her slides.

Furthermore, over the coming months, you can expect regular updates from us on this topic!

This new N-sight format offers members a chance to learn from experts and peers about specific issues, with insights into trends, new technologies, how to prepare for them, and more.


Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview