Privacy: the constant search for best practices continues. Takeaways from the Beltug X-change


The concept and importance of ‘privacy’ are more and more embedded in our daily life - both professional and personal.  The introduction of the General Data Protection Regulation (GDPR) in May 2018 further accelerated this process.  When processing personal data, companies and organisations are encouraged to be conscious and respectful of the privacy rights their customers or employees can exercise.


But correctly handling the privacy of your data subjects requires constant effort, and at times presents a major challenge.  So we zoomed into a few of these hurdles, and checked out best practices. We brought you an example of an internal privacy statement, had a look at the importance of data classification, and learned about the ins and outs of a suitable training and awareness programme.  To top off the event, we heard from our new Data Protection Authority about its plans in the months to come.


Presentations are available to Beltug members (after log-in):




New Beltug tool: internal privacy statement for employees template


Our first speaker was Bavo Van den Heuvel, Director of Product Innovation at Cranium. The GDPR, he explained, is about the processing of personal data.  Most companies do have such personal data in their hands: in their CRM (whether they are B2B, B2C, B2G, etc.), in their core applications, and also in their own HR systems.


Bavo presented an example of an internal privacy statement, co-created by Beltug and Cranium, which focusses on this HR data.  The template aims to help employees understand what personal data the employer collects on them, why it is collected and what is done with it. The scope comprises employees in general, including temporary employees, job students, trainees, freelancers and contractors. (While job applicants are out of scope of this document, it is still important to have a policy in place for them as well.)


By using the document, the employer company ensures the employee can

  • Stay informed
  • Maintain control and
  • Know how to exercise their rights

(Slide 5).


Much of the data processing is related to payroll and personnel administration, so Bavo discussed the angles in that area, the types of personal data, the purpose and the legal basis (Slide 7).


Other ways of processing the data of your data subjects include:

  • Evaluation and training
  • Work planning
  • Security and control of the company assets

(Slides 8-10)


So how can employee data be shared?

  • Internally for the purposes mentioned before
  • With other entities of the company
  • External parties supporting the employer: can be controllers or processors
  • Where legal obligations come in to government or clients (legal, security and safety)


And don't forget about other elements such as the retention period, security and more (slide 12).


Bavo also provided a clear overview of how to use the template (Slide 13).



Data classification in a world of data protection, security, data management & analytics


Our next speaker was Christoph Balduck, Managing Partner at Data Trust Associates, who spoke about the continued importance of data classification, especially from a privacy angle. (Slide 11)


When having a look at a company's GDPR journey, often one of the most challenging aspects is the classification of data. Without classification, it's harder to determine risks.  You might over-secure or under-secure, for example.  Data classification makes us 'consciously incompetent', rather than 'unconsciously incompetent'.


Data classification is legally required and is part of the standards or norms we want to use.  It also determines where we store and process data and who is allowed to obtain or consume it.  Data classification also helps us to determine ownership and responsibilities regarding the company's data (data governance).


In brief: not classifying data is not an option!


Usually you start by defining your classification, Christoph continued.  Then you determine the technical and organisational measures, and define/discover your data and label the discovered data and data assets.  Afterwards you classify your data, determine gaps and prioritise the encryption of your data.  (Slide 15)


Christophe provided a few examples of possible data protection and security classifications (slides 17-22).  Keep in mind, though, that classification should be done within its context.  Different classifications can apply to the same data subject in different contexts.



Data privacy – Is your organisation aware?


How aware is your organisation? That was the question, Koen De Maere, researcher digital strategy and governance at University of Antwerp, Antwerp Management School, and Information Manager at BASF, threw into the group at the start of his talk.


And a key question in measuring and increasing awareness is: "Would our behaviour be similar if we were more aware?"


Koen elaborated on the example of Waze, which collects a lot it its users' data (even fitness activities).  He wondered: how many people would use the navigation tool if they had fully read Waze's privacy policy?


It all comes down to the privacy paradox: users express concerns about the handling of their personal data, but at the same time, give away this information voluntarily, while rarely making an active effort to protect it.


So, in this context of consumer behaviour, these questions were put on the table within the Beltug Privacy Council:

  • What is a recommended approach to improve data privacy awareness in organisations?
  • Who should be trained?
  • What should people know?
  • What investments (in time) are required?
  • What methodologies are most feasible?


Koen discussed the recommended duration of a privacy awareness training, for the different profiles within a company (marketing, board, procurement, HR, etc.). (Slide 30) He also covered the recommended scope of such a training/awareness programme for these different profiles. (Slide 31)


Koen then revealed the findings of a study he carried out, together with 16 members of the Beltug Privacy Council, on the recommended methods. (Slide 32)


To complete his talk, Koen went over a few real-life examples, highlighting for each what went wrong. (Slides 34-41). He wrapped up with a warning about the 'knowing-doing gap', when organisations are aware of best practices, competencies, skills, and behaviours needed for success, yet for some reason do not implement and act upon this knowledge.



Online advertising: challenges for DPOs


Bert Verschelde, Data Protection Officer at DPG Media (formerly 'De Persgroep - Medialaan'), went over the concept of online advertising.  Advertisers have various options and choices, from direct deals, custom audiences, remarketing (based on your behavioural data) and advertising networks (AdWords, SEM). (Slides 6-11)


The legal framework (slides 13-18) brings a number of challenges to the DPO, first of all in the user interface:

  • How do you request consent? (Slide 21)
  • How can you ensure you are clear and comprehensive?


When it comes to programmatic advertising, the industry (through the IAB, the Interactive Advertising Bureau) came up with a response, the IAB Transparency & Consent Framework (slides 24-25), but this approach created its own issues. Now the IAB has developed a more granular approach.


Accountability is a 3rd challenge: how do you prove consent was given?



The new Belgian Data Protection Authority - objectives and roadmap


Our final talk of the day came from the newly appointed president of the Belgian Data Protection Authority.  David Stevens, Commissioner at the ADP-GBA, presented his fellow board members, emphasising that they collectively bring plenty of expertise and experience.  He gave an overview of the responsibilities of the respective entities of the DPA: the general secretariat, the first line office, the inspection branch, the litigation chamber and the knowledge centre. (Slides 3-8).  The DPA is committed to further professionalising these different entities in their tasks, David stated.


Since the GDPR has been in effect, the Belgian DPA has received:

  • 6985 requests for information
  • 351 queries or complaints
  • 754 data breach notifications
  • 4539 registered active DPOs


The DPA has the strong ambition to reach out more, to stay close to the ground, and to have constructive conversations with the different stakeholders involved in privacy.  Through dialogue and collaboration with other (industry) authorities, the DPA aims to leverage resources and exchange valuable insights.  And finally, the authority will strive to grow as an effective, efficient and independent, vigorous regulator.



















Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview