Privacy is not a one-stop-shop! Takeaways from the Beltug N-sight of 26 October 2021

It’s been more than three years since the GDPR came into force, and companies continue to put a lot of effort into ensuring they respect the law and the privacy of clients and employees alike. At times, the challenges have turned into real struggles, especially when dealing with complex environments, cloud data, etc. But sometimes, it is due to more basic parts of the GDPR. During this session, we zoomed in once again on the GDPR, exchanging best practices on how to tackle some of the remaining challenges.


Analysing and observing children in class is part of the research imec is doing for personalised education. imec's step-by-step approach starts with a privacy risk assessment (based on the information available), then adjusts the scope and privacy assessment as the project moves forward. The final step is follow-up from the privacy office - whether supporting the project roll out , or ensuring reporting towards regulators, other DPOs and steering committees. Privacy is definitely not a one-stop-shop!


Data Trust Associates took us on a deeper dive in the DPIA of this imec project. Many companies use US cloud providers for their data. But some are considered unsafe to many regulators, leading to the necessity to build both a DPIA and a DTIA (Data Transfer Impact Assessments). We heard about a combined approach as a solution to cross-data transfers to high-risk countries, but getting everyone to collaborate can be complex. The data team, the DPO and the CISO have different interests, so conflicts can arise. They don’t understand each other’s concerns & constraints, and may not even understand each other's language. Slide 19 shares a few tips on how to tackle this struggle.


We were then briefed on the conversation Beltug and our Privacy Council had with the Belgian Data Protection Authority. We will inform the members on the follow up of this conversation.


We also received first results from the benchmark member survey run by the Beltug Privacy Council, which covered many different topics, like:

More detailed insight from the survey will be provided soon.


And finally, we had a preview of the guidelines that will soon be published for all members. The Paper will be relevant not only to DPOs, but also to all managers with responsibility over personal data processing. After all, non-GDPR professionals also need to be informed on what the GDPR exactly states regarding retention periods!



The presentations and recording from the event are available to Beltug members (after login).


Three years of the GDPR: what hurdles still remain?

Ann Guinée, Communication Manager, Beltug (English)


User story imec: Privacy in personalised education

imec and KU Leuven, on behalf of the Flemish government, have developed the i-Learn MyWay online portal, which offers a new step in personalised education. During this presentation, we will take a closer look at the challenges of personalisation and scientific research in education, and hear about a practical approach based on imec's experiences during the development of the portal.

Klaas Ghesquiere, Privacy Manager, imec (Dutch)


Are privacy and data protection requirements killing cloud and data projects? Zooming in on imec's user story

The complexity of cloud and data projects has increased significantly, due to the many privacy/data protection challenges, and especially the July 2020 Schrems II decision. This session took on a few recurring questions from business, data and IT professionals:

Christoph Balduck, Managing Partner, Data Trust Associates (English)


Beltug met with the DPA – feedback from our conversation

On 21 September, Beltug and a delegation of Beltug members met with the Belgian Data Protection Authority (DPA), to testify about the experiences and expectations of organisations and DPOs regarding this entity. We'll give you some brief feedback on the conversation and our next steps.

Danielle Jacobs, CEO, Beltug (English)


DPO benchmark survey: Main findings and takeaways

This summer, we sent a detailed survey to the members of the Beltug Privacy Council regarding some key aspects of their DPO roles. The very down-to-earth questions related both to their strategic and daily operational reality in their respective companies. We will share some of the most interesting findings and takeaways from this survey.

Erik Luysterborg, Cyber Partner and EMEA Data Privacy Leader, Deloitte (English)


Personal data retention periods

How long do you have to keep personal data such as e-mails, personnel files or personal data from job applicants? This session will share a few best practices from Belgian companies, advice from the federations, the formal guidance from the EDPB/WP29 and some examples from other member states with statutory defined retention periods. The goal is to give you a starting point for defining your own retention periods for processing activities/personal data. Keep in mind that the best practices discussed need to be looked at as examples providing guidance, not roadmaps for you to follow.

Jean-Pierre Bernaerts, External DPO at several organisations (English)



Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login