Shady ASSince the General Data Protection Regulation came into force in 2018, enforcement across Europe has steadily intensified. In Belgium, the Data Protection Authority — known as the GBA in Dutch and APD in French — has significantly increased its activity. In February 2022, the GBA/APD imposed a landmark fine of EUR 250,000 on IAB Europe for multiple GDPR violations related to its Transparency and Consent Framework, citing failures to establish a lawful basis for processing, to appoint a Data Protection Officer, and to conduct a Data Protection Impact Assessment.
For Belgian SMEs, the message is clear: GDPR is not just a concern for large corporations. With penalties reaching up to EUR 20 million or 4% of global annual turnover — whichever is higher — even smaller organisations face substantial risk if they neglect their compliance obligations. This guide walks you through the key requirements and helps you identify the most common gaps.
Understanding your obligations under GDPR
At its core, the GDPR requires every organisation that processes personal data of EU residents to have a lawful basis for doing so. The six lawful bases include consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Belgian SMEs must document which basis applies to each type of data processing they carry out — a step many organisations still overlook.
Data subject rights form another pillar of compliance. Individuals have the right to access, rectify, erase, restrict processing of, and port their personal data. Your organisation must be able to respond to these requests within one month. Additionally, if you process data on a large scale or handle sensitive categories of data, you are required to appoint a Data Protection Officer and conduct Data Protection Impact Assessments for high-risk processing activities.
Organisations with fewer than 250 employees benefit from a partial exemption regarding record-keeping, but this does not exempt them from maintaining documentation of their core processing activities. In practice, the GBA/APD expects all organisations to maintain a register of processing activities regardless of size.
Common compliance gaps in Belgian SMEs
Many Belgian SMEs believe that GDPR compliance is primarily a legal matter, handled by updating a privacy policy on their website. In reality, the regulation demands a holistic approach spanning legal, organisational, and technical measures. One of the most frequent gaps is the absence of a formal data processing register — a structured inventory of all personal data flows within and outside the organisation.
Another common shortcoming is inadequate consent management. The GBA/APD's action against IAB Europe highlighted that consent mechanisms across the advertising industry were fundamentally flawed. SMEs that rely on third-party tools for marketing, analytics, or customer management must verify that these tools handle consent correctly and that the consent obtained is specific, informed, and freely given.
A third area of weakness is vendor management. When Belgian businesses engage third-party processors — cloud providers, payroll services, marketing platforms — they must have data processing agreements in place that meet GDPR requirements. The GBA/APD has made it clear through multiple decisions that the data controller remains responsible for the actions of its processors.
The role of IT infrastructure in GDPR compliance
Technical security measures are not optional under GDPR — Article 32 explicitly requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This includes encryption of personal data both at rest and in transit, robust access controls that limit data access to authorised personnel, and comprehensive audit logs that record who accessed what data and when.
For SMEs, implementing these measures does not necessarily require enterprise-grade budgets. End-to-end encrypted communication tools, properly configured cloud services with role-based access control, and multi-factor authentication on all systems containing personal data can significantly reduce risk. Regular vulnerability assessments and penetration testing further strengthen your security posture.
Network segmentation is another important technical measure. By isolating systems that process personal data from the broader network, you reduce the attack surface and limit the potential impact of a breach. Combined with automated monitoring and alerting, these measures create a defence-in-depth approach that satisfies GDPR's technical requirements.
Breach notification: the 72-hour rule
Under Article 33 of the GDPR, organisations must notify the GBA/APD of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach poses a high risk to affected individuals, those individuals must also be notified directly under Article 34.
The 72-hour window is tighter than many organisations realise. It requires having an incident response plan in place before a breach occurs — including clear escalation procedures, pre-drafted notification templates, and designated personnel responsible for breach assessment and reporting. The GBA/APD has fined organisations specifically for failing to notify within the required timeframe.
A well-prepared organisation should conduct regular breach simulation exercises to ensure that its response procedures work in practice. This includes testing the ability to detect breaches quickly through monitoring systems, assessing the scope of a breach, and completing the notification process within the regulatory deadline.
GDPR compliance checklist for Belgian SMEs
To help you assess your current compliance status, consider the following key areas. First, ensure you have a complete register of processing activities that documents all personal data flows, purposes, legal bases, retention periods, and third-party recipients. Second, review your consent mechanisms to ensure they meet the standards of specificity, clarity, and freely given consent.
Third, verify that all third-party processors have signed data processing agreements that meet GDPR requirements. Fourth, implement technical security measures including encryption, access controls, audit logging, and regular security assessments. Fifth, establish a documented breach notification procedure that enables you to meet the 72-hour reporting deadline.
Sixth, ensure you can respond to data subject rights requests within the one-month deadline. Seventh, assess whether your processing activities require a Data Protection Officer or Data Protection Impact Assessments. Finally, provide regular GDPR awareness training to all employees who handle personal data — human error remains one of the leading causes of data breaches.
How Shady AS can help
At Shady AS SRL, we help Belgian businesses build IT infrastructure that supports GDPR compliance from the ground up. From implementing encryption and access controls to configuring audit logging and monitoring systems, our team in Brussels ensures your technical environment meets the standards expected by the GBA/APD. We also assist with breach response planning, security assessments, and ongoing infrastructure management to keep your organisation compliant as regulations evolve.
Whether you need a full compliance audit of your IT systems or targeted support on specific technical measures, contact Shady AS SRL to discuss how we can help protect your business and your customers' data.