Brigitte Van Gerven,
Project Manager UBench International
“For us, ISO 27001 is the starting point of a journey that is never completely finished“
Valéry Vander Geeten,
legal manager at the CCB
“If you fall within the definition, then you have to comply with the NIS guidelines.”
Aurélie Waeterinckx,
APD spokesperson
“The GDPR reflex must become instinctive before a project starts”
Compliancy
The rules of
cybersecurity clarified
The GDPR legislation and NIS regulations have been in force for 3 years. How have SMEs and large organizations responded? And what does the future hold now that there has been an exponential rise in cyber risks?
The legislation is explained in simple terms and practical tools are offered.
Comply with the EU legislation
The data processing policy of cities and municipalities
COVID-19 related complaints
Direct marketing (mainly concerning cookies)
25% more reports about data breaches than in 2019
4 times more complaints than in 2019
Top 3 complaints
In 2020 the National Data Protection Authority received
Read the full interview
GDPR is celebrating its third anniversary – enough time to grasp the rules and be fully compliant, or so you’d think. In reality, it’s more a case of growing awareness, and there’s still much to do. “Companies are achieving compliance slowly but surely. We’re also living in an age characterized by massive digital dependence and the emergence of new types of data – a continuous process that raises many questions. And we’re here to answer them,” says Aurélie Waeterinckx, spokesperson for the Data Protection Authority (DPA).
Slowly but surely
The DPA supports companies
The code of conduct as a tool
While companies must adapt to the regulations, GDPR is also continually adapting to the digital revolution and the new ways of implementing existing and emerging technologies. Waeterinckx says there are already tools that can be used: “Too few organizations use the code of conduct to demonstrate compliance with GDPR obligations. Although it doesn’t guarantee compliance, it’s a very useful tool in assessing it, and we are always here to assist and guide companies.”
Aurélie Waeterinckx
has been a communication adviser and spokeswoman at the GBA since May 2019
The GDPR reflex
But what are the main mistakes companies continue to make today? According to Waeterinckx, marketing without consent and a lack of transparency are the biggest offenders. Users aren’t (or are only vaguely) informed about the processing of their personal data. “We’ve also noted the lack of importance companies give to the DPO’s role. The GDPR reflex must become instinctive before a project starts.”
Is your SME GDPR compliant?
The DPA is an independent regulatory body whose task is to secure compliance with the basic principles of the protection of personal data. The DPA took over from the Privacy Commission on 25 May 2018.
Three primary deficiencies
After consultation with over 250 SMEs, the DPA has detected three major weaknesses in practice. The first involves the (fundamental) principle of transparency. The company is aware of its duty to inform with regard to data processing, but doesn’t communicate it, or does so poorly. “The next deficiency involves the principle of impact assessment, a compulsory tool for processing likely to generate high risks. Most of the SMEs questioned are aware of this without actually putting it into practice,” Aurélie Waeterinckx adds. Finally, only 50% of the respondents have implemented the concepts of ‘data controller’ and ‘subcontractor’ within the organization.
Aurélie Waeterinckx
GBA spokeswoman
“SMEs are one of our priorities, and from now on we’re providing them with a real toolbox."
A toolbox for SMEs
SMEs do take action with regard to the GDPR. They scan the web in search of advice, consult their sectoral organization, etc., an observation that the DPA has decided to turn into an opportunity. “SMEs are one of our priorities, and from now on we’re providing them with a real toolbox. I recommend two reference publications, the vade mecum (a handbook) and the 13-step Action Plan, practical information that is supplemented by a FAQ brochure. In short, a real dashboard for SMEs.”
BOOST as support for SMEs
The objective of the BOOST project, developed by the DPA and financed by the European Union, is to help micro, small and medium-sized enterprises in any sector in implementing the GDPR. This major awareness-raising activity is also an unprecedented source of information. “Among other things, we provide letter templates, disseminate information via videos, publish a newsletter and organize webinars. The latest one had 735 attendees, proof of the need in the field and the relevance of our activities,” explained the DPA spokesperson.
Read the next article
Comply with the EU legislation
The NIS law, which stems from the European NIS Directive, was the first cybersecurity legislation to be passed in Belgium. Three years after it came into force, the Center for Cybersecurity Belgium is relatively happy with companies’ compliance. “However, it’s still too early to fully assess the implementation of the rules. The first internal audits have just been carried out and the first external audits will take place in 2023,” says Valéry Vander Geeten, legal manager at the Center for Cybersecurity Belgium.
Three years later …
Europe expands the scope of its NIS regulations
Up until now, the rules applied to the following sectors: transport, energy, finance, healthcare, drinking water, digital infrastructure and digital service providers. NIS2 provides for the expansion of the types of operators in some of the existing sectors and for the addition of new sectors, such as telecom operators, public administration entities, companies producing electronic products, food, and chemicals. “It should also be noted that prior identification by the competent sectoral authority would no longer be required. If you fall under the legal requirements, you must comply with the directive,” Vander Geeten says.
NIS 2: more sectors covered
Valéry Vander Geeten
is Head of Legal Affairs at the Belgian Cybersecurity Center (CCB) as well as Data Protection Officer. He is also in charge of coordinating the adoption of the NIS directive in Belgium.
Cybersecurity at every level
Stricter legislation is beneficial to any organization, regardless of its size. The energy sector is obviously crucial to all other sectors and the cybersecurity of its industrial systems is a major issue. The same goes for the public sector, as recent incidents have shown. “In the NIS 2 proposal, micro or small businesses would be excluded, with numerous exceptions especially for entities that could impact public security, public safety or public health. Nevertheless, I think that everyone is concerned. Cybersecurity isn’t just an IT issue, it’s part of our corporate culture.”
Read the full interview
Votre PME conforme au RGPD
The Centre for Cybersecurity Belgium is a federal administration, under the authority of the Prime Minister, charged with coordinating cybersecurity policy in Belgium.
"Cybersecurity isn’t just an IT issue, it’s part of
corporate culture above all.”
Expanded scope to include more sectors and services as either essential or important entities.
Providers of public electronic communications, networks or services
Digital services such as social networking services platforms and a datacenter service
Waste water and waste management
Space
Manufacturing of certain critical products (such as pharmaceuticals, medical devices, chemicals)
Postal and courier services
Food
Public administration
NIS2
Hitting the refresh button on cybersecurity rules
What are the new regulations?
NIS 2: Proposal for a directive on measures for a high common level of cybersecurity across the Union.
The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped achieve a higher and more even level of security of network and information systems across the EU. In view of the unprecedented digitization in recent years, the time has come to refresh it.
EU Member States improve their cybersecurity capabilities.
NIS
capabilities
A list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations is established.
More stringent supervision measures and enforcement are introduced.
NIS 2
Increased information sharing and cooperation between Member State authorities with an enhanced role of the Cooperation Group.
Establishment of a European Cyber crises liaison organisation network (EU-CyCLONe) to support coordinated management of large-scale cybersecurity incidents and crises at EU level.
NIS 2
Accountability of the company management for compliance with cybersecurity risk management measures.
Streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline.
Cybersecurity of the supply chain for key information and communication technologies will be strengthened..
Strengthened security requirements with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.
NIS 2
Increased EU-level cooperation.
NIS
Cooperation
Operators of Essential Services (OES) and Digital Service Providers (DSP) have to adopt risk management practices and notify significant incidents to their national authorities.
NIS
Cybersecurity - risk management
Sectors covered by the NIS directive
Healthcare
Transport
Banking and financial - Market infrastructure
Digital infrastructure
Water supply
Energy
Digital service providers
NIS
Comply with the EU legislation
UBench International provides a cloud platform that brings all automotive sector players under one roof: from leasing companies, rental companies and used car sellers to insurers, breakdown services and repairers. With its digital ecosystem, the company from Turnhout is today’s market leader in Belgium and is also active in many other European countries.
Brigitte Van Gerven
has a degree in civil mechanical-electrical engineering from KU Leuven. She has been a project manager at UBench International since 2017.
Objective vetting
In this context, certification offers a practical way to objectively demonstrate an organization’s data security level. An internationally recognized certificate for data security is ISO 27001. “This is a framework of requirements that a data security system needs to meet,” says Bart Tollebeek, data security consultant at Proximus. “Put simply: the organization examines step by step where possible risks are located. Once the security risks are assessed, proportionate measures are implemented.” An organization that passes the audit, carried out by an accredited auditor, may use the ISO 27001 certificate for three years. “During that period, an annual check takes place,” Bart explains. “The certificate is based on the principle of continuous improvement.”
“Data security is essential for us,” says project manager Brigitte Van Gerven. “We handle a lot of confidential data on our platform.” The volume of that data has, of course, grown hugely since launching UBench International in 2003. “This calls for a systematic, holistic approach in order to maintain an overview. Especially if, like us, you are also seeking to constantly improve data security.” An attitude that is increasingly viewed as a basic principle in the market. “Many tenders set strict requirements for data security.”
UBench confirms data security with ISO certificate
CASE
Read the full interview
Aurélie Waeterinckx,
APD spokesperson
“The GDPR reflex must become instinctive before a project starts”
Valéry Vander Geeten,
legal manager at the CCB
“If you fall within the definition, then you have to comply with the NIS guidelines.”
Brigitte Van Gerven,
Project Manager UBench International
“For us, ISO 27001 is the starting-point of a journey that is never completely finished”
The GDPR legislation and NIS regulations have been in force for 3 years. How have SMEs and large organizations responded? And what does the future hold now that there has been an exponential rise in cyber risks?
The legislation is explained in simple terms and practical tools are offered.
clarified
cybersecurity
The rules of
Compliancy
Comply with the EU legislation
GDPR is celebrating its third anniversary – enough time to grasp the rules and be fully compliant, or so you’d think. In reality, it’s more a case of growing awareness, and there’s still much to do. “Companies are achieving compliance slowly but surely. We’re also living in an age characterized by massive digital dependence and the emergence of new types of data – a continuous process that raises many questions. And we’re here to answer them,” says Aurélie Waeterinckx, spokesperson for the Data Protection Authority (DPA).
Slowly but surely
The DPA supports companies
The code of conduct as a tool
While companies must adapt to the regulations, GDPR is also continually adapting to the digital revolution and the new ways of implementing existing and emerging technologies. Waeterinckx says there are already tools that can be used: “Too few organizations use the code of conduct to demonstrate compliance with GDPR obligations. Although it doesn’t guarantee compliance, it’s a very useful tool in assessing it, and we are always here to assist and guide companies.”
Aurélie Waeterinckx
has been a communication adviser and spokeswoman at the GBA since May 2019
The GDPR reflex
But what are the main mistakes companies continue to make today? According to Waeterinckx, marketing without consent and a lack of transparency are the biggest offenders. Users aren’t (or are only vaguely) informed about the processing of their personal data. “We’ve also noted the lack of importance companies give to the DPO’s role. The GDPR reflex must become instinctive before a project starts.”
Read the full interview
The data processing policy of cities and municipalities
COVID-19 related complaints
Direct marketing (mainly concerning cookies)
25% more reports about data breaches than in 2019
4 times more complaints than in 2019
Top 3 complaints
In 2020 the National Data Protection Authority received
Uw kmo
GDPR-conform
Three primary deficiencies
After consultation with over 250 SMEs, the DPA has detected three major weaknesses in practice. The first involves the (fundamental) principle of transparency. The company is aware of its duty to inform with regard to data processing, but doesn’t communicate it, or does so poorly. “The next deficiency involves the principle of impact assessment, a compulsory tool for processing likely to generate high risks. Most of the SMEs questioned are aware of this without actually putting it into practice,” Aurélie Waeterinckx adds. Finally, only 50% of the respondents have implemented the concepts of ‘data controller’ and ‘subcontractor’ within the organization.
Aurélie Waeterinckx
GBA spokeswoman
“SMEs are one of our priorities, and from now on we’re providing them with a real toolbox."
A toolbox for SMEs
SMEs do take action with regard to the GDPR. They scan the web in search of advice, consult their sectoral organization, etc., an observation that the DPA has decided to turn into an opportunity. “SMEs are one of our priorities, and from now on we’re providing them with a real toolbox. I recommend two reference publications, the vade mecum (a handbook) and the 13-step Action Plan, practical information that is supplemented by a FAQ brochure. In short, a real dashboard for SMEs.”
BOOST as support for SMEs
The objective of the BOOST project, developed by the DPA and financed by the European Union, is to help micro, small and medium-sized enterprises in any sector in implementing the GDPR. This major awareness-raising activity is also an unprecedented source of information. “Among other things, we provide letter templates, disseminate information via videos, publish a newsletter and organize webinars. The latest one had 735 attendees, proof of the need in the field and the relevance of our activities,” explained the DPA spokesperson.
Read the next article
NIS 2: Proposal for a directive on measures for a high common level of cybersecurity across the Union.
The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped achieve a higher and more even level of security of network and information systems across the EU. In view of the unprecedented digitization in recent years, the time has come to refresh it.
Hitting the refresh button on cybersecurity rules
Sectors covered by the NIS directive
The NIS law, which stems from the European NIS Directive, was the first cybersecurity legislation to be passed in Belgium. Three years after it came into force, the Center for Cybersecurity Belgium is relatively happy with companies’ compliance. “However, it’s still too early to fully assess the implementation of the rules. The first internal audits have just been carried out and the first external audits will take place in 2023,” says Valéry Vander Geeten, legal manager at the Center for Cybersecurity Belgium.
Three years later …
Europe expands the scope of its NIS regulations
Cybersecurity at every level
Stricter legislation is beneficial to any organization, regardless of its size. The energy sector is obviously crucial to all other sectors and the cybersecurity of its industrial systems is a major issue. The same goes for the public sector, as recent incidents have shown. “In the NIS 2 proposal, micro or small businesses would be excluded, with numerous exceptions especially for entities that could impact public security, public safety or public health. Nevertheless, I think that everyone is concerned. Cybersecurity isn’t just an IT issue, it’s part of our corporate culture.”
Read the full interview
The Centre for Cybersecurity Belgium is a federal administration, under the authority of the Prime Minister, charged with coordinating cybersecurity policy in Belgium.
What are the new regulations?
Valéry Vander Geeten
is Head of Legal Affairs at the Belgian Cybersecurity Center (CCB) as well as Data Protection Officer. He is also in charge of coordinating the adoption of the NIS directive in Belgium.
Up until now, the rules applied to the following sectors: transport, energy, finance, healthcare, drinking water, digital infrastructure and digital service providers. NIS2 provides for the expansion of the types of operators in some of the existing sectors and for the addition of new sectors, such as telecom operators, public administration entities, companies producing electronic products, food, and chemicals. “It should also be noted that prior identification by the competent sectoral authority would no longer be required. If you fall under the legal requirements, you must comply with the directive,” Vander Geeten says.
NIS 2: more sectors covered
Comply with the EU legislation
"Cybersecurity isn’t just an IT issue, it’s part of
corporate culture above all.”
Providers of public electronic communications, networks or services
Digital services such as social networking services platforms and a datacenter service
Waste water and waste management
Space
Manufacturing of certain critical products (such as pharmaceuticals, medical devices, chemicals)
Postal and courier services
Food
Public administration
Expanded scope to include more sectors and services as either essential or important entities.
NIS2
Healthcare
Transport
Banking and financial - Market infrastructure
Digital infrastructure
Water supply
Energy
Digital service providers
NIS
Strengthened security requirements with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.
Streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline.
Accountability of the company management for compliance with cybersecurity risk management measures.
Cybersecurity of the supply chain for key information and communication technologies will be strengthened..
NIS 2
Operators of Essential Services (OES) and Digital Service Providers (DSP) have to adopt risk management practices and notify significant incidents to their national authorities.
NIS
Cybersecurity - risk management
Increased information sharing and cooperation between Member State authorities with an enhanced role of the Cooperation Group.
Establishment of a European Cyber crises liaison organisation network (EU-CyCLONe) to support coordinated management of large-scale cybersecurity incidents and crises at EU level.
NIS 2
Increased EU-level cooperation.
NIS
Cooperation
EU Member States improve their cybersecurity capabilities.
NIS
capabilities
A list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations is established.
More stringent supervision measures and enforcement are introduced.
NIS 2
Comply with the EU legislation
UBench International provides a cloud platform that brings all automotive sector players under one roof: from leasing companies, rental companies and used car sellers to insurers, breakdown services and repairers. With its digital ecosystem, the company from Turnhout is today’s market leader in Belgium and is also active in many other European countries.
Read the full interview
Brigitte Van Gerven
has a degree in civil mechanical-electrical engineering from KU Leuven. She has been a project manager at UBench International since 2017.
In this context, certification offers a practical way to objectively demonstrate an organization’s data security level. An internationally recognized certificate for data security is ISO 27001. “This is a framework of requirements that a data security system needs to meet,” says Bart Tollebeek, data security consultant at Proximus. “Put simply: the organization examines step by step where possible risks are located. Once the security risks are assessed, proportionate measures are implemented.” An organization that passes the audit, carried out by an accredited auditor, may use the ISO 27001 certificate for three years. “During that period, an annual check takes place,” Bart explains. “The certificate is based on the principle of continuous improvement.”
Objective vetting
“Data security is essential for us,” says project manager Brigitte Van Gerven. “We handle a lot of confidential data on our platform.” The volume of that data has, of course, grown hugely since launching UBench International in 2003. “This calls for a systematic, holistic approach in order to maintain an overview. Especially if, like us, you are also seeking to constantly improve data security.” An attitude that is increasingly viewed as a basic principle in the market. “Many tenders set strict requirements for data security.”
UBench confirms data security with ISO certificate
CASE