GDPR dive into the details. Takeaways from the Beltug N-sight of 19 December 2017


With barely 6 months to go till the GDPR comes into effect, companies now have a good knowledge about the EU data protection regulation, the new rules, and paving the way to compliance. So in this session, we dove with industry and government into some of the GDPR’s more complex features, such as the governance of data, 'Privacy by Design', Data Protection Impact Assessment (DPIA) and record-keeping, and the implementation legislation. Presentations from the event are available, exclusively for Beltug members (after login):



What is Information Governance, Jaap den Exter van den Brink, EMEA Information Intelligence Solution Lead at Veritas Technologies, queried at the start of this session. His definition: "the activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs." Data (bits and bytes) is not the same as information, he emphasised.  And information governance can be seen as a higher level of data governance.


Don't look the other way or put your head in the sand when it comes to GDPR.  Full compliance may not be possible, but make sure you are 'GDPR-ready'.  You need to know your challenge(s).  For starters, take control of your unstructured data and get rid of so-called 'dark data'.

  • Come to grips with your 'databerg'
  • Data subjects need to be found to be forgotten
  • What you keep must be protected
  • Know what you want to keep and keep what you know!


Structured data (versus unstructured data) matters, but it isn’t the entire picture. Then there is the 'de-structured' data: while you may have a highly protected database, others can export the data and store it anywhere.  This de-structured data needs to be protected, as well.


Why, Who, What, When and Where… have a look at slide 18 for the questions to ask yourself in a data inventory. And consider getting help from an expert in inventorying/classification with the tools to find out whether files are sensitive or confidential. For example, a document may contain a credit card number, but this is not always visible from the file name. 


Karl Pottie, Expert ICT & CISO at the Province of Vlaams-Brabant, started his talk by introducing the provincial government, an intermediate government between the municipalities and federal/regional governments. Being a government, the Province has a bit of a head start compared to some private companies: for example, it has had a DPO for many years.


Karl shared his best practices on 'Privacy by Design'.  Based on the legal recommendations and texts, this concept needs to be part of calls for tenders. But while methodologies or formal frameworks don't exist yet for the concept, design strategies have been developed.


The Flemish Government used the INISA paper for inspiration.


Privacy by Design is based on 7 pillars: (Slides 12-14)


  • Data minimisation
  • Controllability
  • Transparency
  • User friendliness/User centricity
  • Data confidentiality
  • Data quality
  • Use limitation


After explaining the theory, Karl went to the concrete experience of the Province administration.


He shared 8 privacy design strategies and their pragmatic approach.

  • Minimise: the less data you have, the fewer risks you have - but users often want to keep as much data as they can.
    "Comply or explain", the administration demands from its staff, who limit data retention as much as possible.
    All new applications include this concept from the start.
  • Hide: recruiters can't see the payroll data while using the HR application, and vice versa.  Hide what is not needed for the job.
  • Separate: Personal data coming from various sources needs to be processed separately: store it in different databases, split into different tables.
  • Aggregate: Aggregate data with the lowest level of detail, for instance on the group-level, rather than on the individual level.
  • Inform: Be open and transparent to the end-user: who are the appropriate contacts, where can they go with issues, what procedures and policies apply in a certain case? And all this in easy human language.
  • Control: Make sure the user can intervene and maintain control over his data.
  • Enforce: You need a privacy policy. But what does this look like: for the Province, this is still an unanswered question. Does it need to be general or per application? How effective and enforceable must it be? In any case, make sure the level of security is in balance with the goal.
  • Demonstrate: make sure you can demonstrate your compliance, or at least your efforts towards it.  Even determining whether a breach took place should be built into the technology. Logging (and active analysis of the logging) of external certification and audits is certainly important parts of this pillar.


What techniques or technologies can support these pillars?  Karl went deeper into Privacy Enhancement Techniques: for him, strong authentication is the basic requirement for all processing of data, such as eID, itsme, etc. (slides 33-35).


The Province of Vlaams-Brabant used a form with all the necessary questions to be answered.  Completing this form helps spark ideas, yet also structures thoughts when building a new solution or application.


GDPR starts with accountability - that is your guiding principle, Peter Van Dyck, Partner at Allen & Overy, stressed at the start of his talk. "Accountability is at the centre of all this: getting it right today, getting it right in May 2018, and getting it right beyond that," he explained. When putting the rules in place and deciding on certain obligations and measures, you need to get it right: penalties include massive fines, of up to 2% or 4% of your worldwide turnover.


First Peter went into detail on the obligation to maintain a data register: a centralised place in which all processing activities are described.  The Privacy Commission offers a template for such a register - other tools, including automated tools, exist in the market as well. The obligations of a data controller and a data processor differ (slide 10). Other aspects to decide on: how must this register be kept, who has access to it and when must it be ready?


Next, the DPIA was put under the microscope - the Data Protection Impact Assessment.  While it’s an internal process, you can always consult with the existing privacy authorities to confirm if you got it right.  One core question is when a DPIA is required, for example it is always required when:

  • Your decision is
    • based on automated processing
    • involves a systematic and extensive evaluation of an individual
    • has a legal / significant effect on the individual
  • involves large-scale processing of sensitive data
  • include large-scale, systematic monitoring of publicly accessible areas.


It’s important to note that a DPIA is always required if you're on the blacklist of a competent data protection authority. Sometimes, a DPIA may be required - the trickier cases are more difficult to judge.  Peter provided an overview and a decision model (slides 18-19).


To end the session, Charlotte Dereppe, Privacy Adviser to the Cabinet of Secretary of State Philippe De Backer, took the floor. The world changes continuously, and the number of companies active in data economy has exploded over the last few years. On the other hand, now the GDPR is being imposed. We need to find the optimal balance between the two.


The GDPR is the result of four years of negotiation between the 28 Member States, the European Commission and the European Parliament. In fact, it has been the most lobbied law text to-date – even compared to tobacco sector regulations, for instance. This is because it touches all companies in all sectors.


After a quick overview of a few key features of the GDPR, Charlotte explained how the Data Protection Authority (now the Commission for the Protection of Privacy) will be organised (slides 10 and 11).  When a company needs to be sanctioned, an escalation mechanism will come into play - astronomical fines will only be a final measure, after a chain of intermediate steps (slide 12).


In general, Charlotte called upon companies to be part of a network: exchange best practices, get inspired by other companies, etc.  She also emphasised that valuable tools are available, both from the Privacy Commission and, for instance, from Beltug.
















Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview