GDPR one year in
Cyber Security Summit
12th of june 2019
• ° 2008: Monitor the transfer of personal data by flemish
• ° 2018 : Supervising data protection authority (DPA) for
the Flemish public sector
o (local) Government,
• Our task are described in art. 57 and 58 of the GDPR
o Advice, monitor, complaints, standardisation, promote awareness, report data leaks, etc.
• Belgian situation
o Flemish VTC & Federal DPA
• More info :
QUID VTC ?
Who am I ?
• Jan Guldentops (°1973)
o I am building server, network and other ICT infrastructure
o for > 25 years
o Founder of Better Access (°1996) and BA (°2003)
o Open Source Fundamentalist (after hours)
o Strong practical background in the field of security and privacy
• Security “expert” by accident
o Documented the security problems of the first Belgian Internet bank. (
Beroepskrediet / Belgium Online )
o Right hand of big brother
o “Certified” Data Protection Officer
o Do a lot of R&D and testing (security, infrastructure, performance)
o Backup member of the VTC board
GDPR – one year
• The runup to may 2018 almost felt like it was 1999
(Y2K) all over again.
• That mix of real concern, panic, smooth sales,
apocalyptic thinking, not understanding …
• Lots of products, consultancy, privacy-washing,
• We didn’t explain the why enough
o Why is the protection of personal data so important The situation has
relaxed, companies and organizations.
Howto GDPR ?
• A combination of hard work, Common
Sense, following policies and not
reinventing the wheel
• We see a lot of shortcuts and easy way’s out
IT’s a continuous proces
• There is no such thing as absolute security !
Smart use of technology:
Is personal data more secure now?
• Did the extra attention on documentation,
procedures and inventories diminish the real
work on security .
• Did it mean we put less time in the real security
o Security plan ?
o Real technical audits ?
• There is more than personal data to consider :
o PCI DSS
o Other regulatory rules
A couple of examples
• Are we at a standstill ?
• Belgian DPA’s took some time to get organized.
• Commercial companies complain that they are
not doing a lot of business
• Not a lot of complaints / right enforced by
• Teach our citizens to enforce their rights
o The right to be informed
o The right of access
o The right to rectification
o The right to erasure
o The right to restrict processing
o The right to data portability
o The right to object
o Rights in relation to automated decision making and profiling.
Jun. 13, 2019
Short talk at the Cyber Security Summit Belgium for Vlaamse Toezichts Comissie(VTC) about the what we learned about GDPR.