With the EU General Data Protection Regulation coming into force in just over 100 days, both private companies and public administrations are feverishly preparing. So, too, are regulators adjusting and adapting.
At this week’s GDPR Salon, a side event to the CPDP conference being held here in Brussels, attendees heard from Belgian State Secretary for Privacy Phillipe De Backer and President of the Belgian Commission for the Protection of Privacy Willem Debeuckelaere about how Belgium is reorganizing its DPA (literally renaming it to the Belgian Data Protection Authority) and investing in an ability to regulate effectively in the era of the GDPR.
For example, said De Backer, the Belgian Parliament last week approved an additional 1.7 million euros for the Belgian DPA’s annual budget. Much of that, said De Backer, will be going toward staffing: “We’re still looking for new people, for good people,” he said. “If you’re looking for a new career…”
The room of roughly 100 privacy professionals chuckled.
The Belgian DPA, he said, will be “state of the art and match up with the biggest DPAs abroad.” Specifically, he said, the DPA should be “an assistant to controllers and processors … by working together to provide codes of conduct, even individualized assistance and consultations.”
In fact, the DPA’s most important service, he said, is serving to create a level playing field, where everyone knows the rules and has confidence the competition is complying with them.
To that end, the Belgian Parliament adjusted the structure of the CPP, creating an executive committee designed to attract members from differing backgrounds, “who have knowledge about what’s going on in the market today. They can impose fines, but we’re also enabling them to come up with a strategic plan with clear performance indicators,” De Backer said.
Commissioner Debeuckelaere, whose term will now expire in roughly a month when five new commissioners will be appointed by the Belgian Parliament, said the new DPA will ensure “we are accountable for applying fair and consistent approaches, that we are accountable to the data subjects for protecting their rights.” The new DPA comes completely into force May 25, 2018, along with the GDPR.
Perhaps with the frankness that comes with his term nearing its end, Debeuckelaere was also frank in how the Belgian DPA will approach the GDPR, which presents so many compliance challenges for so many. “Even the Belgian DPA will not be 100 percent compliant with the GDPR on May 25,” he said. “But don’t worry, we won’t be the only ones.” Further, he emphasized, the EU will need the legal system to help define aspects of the GDPR and so “compliance” will be a moving target for some time.
"In the end, you can maybe fine a company, but if the problem is not solved, then the GDPR doesn’t protect the data rights of data subjects." — Belgian State Secretary for Privacy Phillipe De Backer
“We’ll need three or four years,” Debeuckelaere said, “to assess the success or failure of the GDPR.” He called the two-year implementation period for the GDPR “a really very short period of time.”
Unfortunately, though, the current CPP can only lay so much groundwork for the new DPA because “we are confronted with the fact there will be five new directors who have to be appointed by Parliament. It’s difficult for the existing commission to take positions that will impose on these people. We want to leave space for them to set out their own vision.”
So, not only will Belgian organizations have to wait and see how GDPR will be applied, they can only rely so much on guidance released by the current commission ahead of time.
However, he emphasized, the current Article 29 Working Party is releasing guidance for all of Europe with the tacit understanding that future regulators will abide by it. “Even when we at the Belgian Commission have a different insight” than the group as a whole, he said, “we will support the European decision because we think it’s necessary that we implement the GDPR the same way on the whole European level.”
That transparency and consistency is important on the EU level as well as in Belgium, said De Backer. “We clearly stipulated in the law how the procedures for enforcement will go,” he said. “It’s important to provide that clarity to the market. In the end, you can maybe fine a company, but if the problem is not solved, then the GDPR doesn’t protect the data rights of data subjects. It’s not there simply to fill the coffers of the state.”