Events Calendar

GDPR - PLAN to be Ready, PREPARE to Set, CHANGE to Go - Session 1
Monday 19 December 2016, 10:00am - 06:00pm
Hits : 3350
by This email address is being protected from spambots. You need JavaScript enabled to view it.

gdpr bannerweb

Data protection and data breach notification are no longer a media relations issue or opportunistic PR choice: It is law, with fines amounting up to 4% of the organization’s worldwide turnover. Not complying to the EU General Data Protection Regulation (GDPR) can lead to a financial drain equal to breaking EU Competition Law; a devastating amount for any business! The GDPR will affect almost every business that collects or handles the personal data of any European citizen. The legislation is welcome news for consumers who will get more say over how their data is handled, rights to be forgotten and transparency of data breaches. For organizations, the far-reaching nature of the GDPR means every aspect of a business will feel its impact and, in places, entire processes will need to be replaced or set up from scratch. GDPR covers a wide range of issues relating to personal data, such as privacy, monitoring and security. It compels businesses to apply privacy by design, disclose personal data breaches within 72 hours and encrypt the data they hold.

LSEC GDPR Activities : Putting Data Protection in Practice, GDPR 2016-2018

The EU General Data Protection Regulation is the most important change in data privacy regulation in 20 years…and we're here to make sure you're prepared ! Our aim is to provide at least 5 sessions where different aspects of the GDPR implementation will be investigated in depth, on the basis of the legal principles, experiences on implementation and indication which tools might be supportive of these implementations. The seminars are oriented towards DPO’s & other privacy officers, CISO’s, CIO’s, legal counsel, compliance officers, tax & audit, Company Directors, Business and Technology Managers, business people who should be involved in the data protection of their customers and partners. It is a unique combination of regulatory requirements, business impact and challenges for practice that we are focusing on, a difference from either the pure legal or technology perspectives. In a first session, on December 19Th, the aim is to present the basics and the general overview, already with some current challenges and ideas, followed by the detailed sessions in 2017.


Day 1 : GDPR - PLAN to be Ready, PREPARE to Set, CHANGE to Go 

GDPR General Introduction Day, setting out the topics, panels and keynote introductions

Session Materials :

Materials are now available for download. Attending to the event was free, but we charge a minor fee for the materials in order to ensure some income for the organization. As a non-profit organization, due to tax reasons, a small charge is asked to cater for the incurred costs. You will be transferred to and be asked to pay for 121 € (100 € excl, 21% VAT). You will be able to receive an invoice if you leave your company details and PO number. Once paid, you will receive a downloadlink to download the .zip with all materials. 

LSEC continues to support creating awareness on information security, will try to lower the barrier for ict security professionals. With this mechanism, all attendees have evaluated the value of the presented materials and can easily contribute to the future activities. 

Final Agenda:

All sessions will be recorded live, and retransmitted for web viewing afterwards, purely as reference materials. 
All sessions will be followed by a short Q&A, moderated by the panels chairs. 

• 08.45 : welcome & registration, networking
• 09.30 : introduction & agenda setting by Ulrich Seldeslachts, LSEC, chairman of the day

During this introduction, Ulrich will outline the LSEC activities in relation to data protection and the interest for the association of ICT security companies and practitioners in being involved. Ulrich will be chair of the day, and as the moderator throughout the day, aiming to learn from the panels in order to provide guidance to both practitioners and advisory throughout 2017.

• 09.45 : introducing data protection & GDPR, identifying key challenges, introducing co-chairs, Hans Graux & Nicolas Delcroix

Hans Graux and Nicolas Delcroix will be the co-chairs of the day. They have been working on data protection for more than a decade, and have a lot of hand-on experience in guiding both European and non-European companies and organisations in dealing with current data protection law. They have been closely following the developments and challenges of the new Regulation in various sectors. Together they will be setting the scene as a team, during an interactive session that outlines the main drivers behind the changes proposed by the GDPR. Furthermore, the introduction will briefly explain some of the major changes on the basis of practical real)life cases, showing the importance of the GDPR’s shift in focus. In this way, they will provide a pragmatic introduction to some of the opportunities and challenges of the main components of the GDPR.

About Hans Graux : Hans is a founding partner at time.lex, a member of the ICT Committee of the Council of Bars and Law Societies of Europe (CCBE), a Member of the ICT Committee of the Order of Flemish Bars, and an independent legal expert in the Flemish Supervisory Committee (Vlaamse Toezichtscommissie). Having graduated in Law in 2002, he obtained a complementary degree in IT in 2003. This combination makes him the ideal specialist for complex legal files that also require a solid technical grounding. Since 2005, he has primarily been active as a lawyer at the bar of Brussels.Hans frequently acts as a legal advisor to the European Commission in several policy areas, including electronic signatures, identity management, privacy protection and e-procurement. In 2007 he co-founded time.lex. His recent assignments center mainly around data protection (privacy protection), cloud computing, open source software development and geographic information systems.

About Nicolas Delcroix : Nicolas is a partner at RSM Belgium IT Advisory. His specialisation is Information Security management advisory, with a specialisation in privacy legislation. Prior to RSM, Nicolas was part of Delitad the Cronos Group company specialized in IT Audit and Advisory. In July 2012 he was the co-founder of the Data Protection Institute, which provided training to many DPO's in Belgium.

• 10.25: data protection & privacy from theory to practice, data protection in a business setting, chaired by Ulrich, Hans & Nicolas : 
- Paul De Hert (VUB)
- Bart Preneel (KU Leuven)
- Ilse Haesaert (Agoria) 
- Marc Vael (Smals)

This panel will be focusing on putting the rationale behind the Data Protection and the current GDPR. From theory to practice is where the main drivers of the rationale of privacy and data protection in general can find their historical meaning. But beyond history, what are the real threats that we are facing, and why should we concerned about the use by organisations of personal data. Why should we be concerned that data loss and leakage could be harmfull. Companies are responsible organisations and are there to self-regulate their data protection. Should the GDPR be implemented the hard or the soft way in Belgium, that is to say, how responsible can companies be and how can they provide sufficient trust and confidence to citizens and government. Is government even capable of dealing with personal data? Are the levels of control sufficient? Should we be weary of politics influencing the audit mechanism, should it be a pure technical practice? Won't there be a disfavoring of SME's and digital companies versus large enterprises having the means and resources in coping with expensive advisory? Shouldn't the advisory be limited and more assistance offered from technology and policy? Some reflections and controversial views. 

Abouts : 

Prof. Paul De Hert's work addresses problems in the area of privacy & technology, human rights and criminal law. Currently he is expanding his scope of interest including research on issues with regard to the human rights status of the elderly and the principle of neutrality in a democratic state. To satisfy his multiple curiosities de Hert teams up regularly with other authors. A human rights approach combined with a concern for theory is the common denominator of all his work.

Ilse Haesaert has been an advisor at Agoria since 2007, managing the Platform for Telecom Operators in Belgium, active in the domain of ICT and legal. Prior to Agoria, Ilse was working at the cabinet of the Minister of Telecommunications Verwilghen from 2004 until 2007. She has been leading the debate on privacy, data protection and the implementation of the GDPR in Belgium within the federation for the last couple of years. After her law studies in Louvain and Namur, including postgraduate studies in telecommunications, Ilse was first hired by an international telecommunications company. Some time later, she began her long career at Agoria. Besides her telecom activities, at Agoria she initiated the lobbying process in relation to the data protection regulation and thus acquired considerable expertise, specifically on the steps a company should take in order to achieve compliance in this respect.

Prof Bart Preneel is a Flemish cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group. He was the president of the International Association for Cryptologic Research in 2008-2013 and project manager of ECRYPT. Simultaneously with Shoji Miyaguchi, he invented the Miyaguchi–Preneel scheme, a robust structure used in hash functions such as Whirlpool. He is one of the authors of the RIPEMD-160 hash function. He was also a co-inventor of the stream cipher MUGI which would later become a Japanese standard, and of the stream cipher Trivium which is a well-received entrant to the eSTREAM project. He has also contributed to the cryptanalysis of RC4, SOBER-t32, MacGuffin, Helix, Phelix, Py, TPypy, the HAVAL cryptographic hash function and the SecurID hash function, among others.

Marc Vael is Chief Audit Executive / Client Security Services Executive at Smals. Marc received his MA in Applied Economics in 1989 from the University of Antwerp, and another MA in Information Management in 1990 from the University of Hasselt, and a master-doctorandus degree in applied economics and ICT in 1991 from the Katholieke Universiteit Leuven. He later received certificates in systems auditing, risk and information systems control et al. In 1997 Vael started to lecture as Guest Professor at the Antwerp Management School, and since 2004 also at the Solvay Brussels School of Economics and Management. In 2010 Vael was appointed chief audit executive at Smals and also deputy member of the Flemish privacy commission. In 2012 Vael was appointed as member of the Permanent Stakeholder Group of ENISA. In 2012 Vael was elected international vice-president and became a member of the board of ISACA where he was responsible for knowledge management. The same year he was also elected Fellow van het Hogeheuvelcollege (2012), University of Leuven.

• 11.25 : GDPR & data protection from a legal perspective, seizing the opportunity : Guillaume Couneson, Linklaters


About Guillaume Couneson : Guillaume’s practice focuses on information technology (IT) and electronic communication related matters. He has been heavily involved in both transactional and regulatory matters with a special focus on data protection compliance. Guillaume has also built significant expertise advising clients regarding IT contracts, including outsourcing/cloud computing related agreements. He regularly assists clients in regulated sectors and has worked on numerous deals falling under the regulatory authority of the data protection authorities and telecommunications regulators.


• 12.00 : Practitioners panel : clarifying key challenges for DPO's and other data protection coordinators, moderated by Ulrich
- Nicolas Ernie, (bpost)
- Jan Léonard (Orange)
- Bart Van Severen (KBC)
- Erik Luysterborg (Deloitte)
- David Callebaut (BNY Mellon - Delitad)

The Data Protection Officers will be important roles in their respective companies. They will have to deal with the regulation implementation in some cases, to assess the regulation and its various components and report on it, be the liaison officer to the DPA. Some of the DPO's are already active in their roles for many years. What are their current activities, how do they report internally? Are they following specific guidelines? What are the typical challenges they've encountered? How to include the rest of the organization to make this happen? What types of awareness plans are they encorporating? Is there board level committment? What should be the internal reporting lines? Do they consider themselves being controllers or processors of data and how does this impact the implication within the organization. 


Nicolas Ernie is GDPR Program Manager at bpost. Prior to this he was Lead of the team doing internal Audit at bpost, specialized in IT Audit, Internal Audit, Sarbanes-Oxley compliance, Risk Management, Corporate Governance, ISAE3402 and SAP. Before joining bpost in 2013, Nicolas was Manager at the Enterprise Risk Services division of Deloitte Belgium. 

Jan Léonard is Data Protection Officer at Orange Belgium. He is managing the Data Privacy Program at Orange / Mobistar. Jan has been with Prior to IT and Telecom development Manager. Already since 1999 with Mobistar, Jan has had different roles having been in charge of technical implementation of new offers and promotions, automation of the contract and service activation, EAI based developments and coordination of transversal projects within the technical department such as Y2K project manager. Prior to Mobistar, Jan was active at GIS provider Intergraph and Tractebel.

David Callebaut is currently Vice President Information Risk Management EMEA at BNY Mellon, but will change shortly towards DelITad as Managing Partner. Prior to BNY, David was EUA Information Security Officer at Delhaize Group, until 2014. There he has been Establishing and maturing the Information Security level, by improving and managing security processes and operations, improving and/or installing regulatory compliance (SOX, PCI, ...), applying security standards (ISO2700x) and perfoming risk assessment and mitigation projects. Ensuring Data Protection and Privacy by establishing clear processes and documentation. Managing a regional team of security experts. Aligning business and IT strategy with security objectives and establishing optimal risk/reward decisions.

Erik Luysterborg leads the Security & Privacy group as well as the European Data Protection & Privacy service line. He deals with security and privacy issues related to both traditional (out) sourcing as well as Cloud environments. Erik assists international clients with cross border and practical/technical aspects of data protection. He focuses on designing operational and pragmatic security management solutions and controls effective risk based legal/compliance strategies both in public & private sector.

Bart Van Severen is Data Protection Officer at KBC Group. Since 2013, Bart is DPO as part of the Group Compliance dept for KBC, with specifically privacy of personal data and professional discrecy as part of his compliance domains. Bart has been working in the financial services domain since 1988 and has been with KBC since 1997 in various roles including : Global Head of Business Procurement for KBC Global Services, Project Manager Global Procurement and Head of ICT Procurement. He was part of the startup and coordinate cooperation with Central European KBC activities, after a couple of years as Head of ICT Procurement Belgium. Prior to KBC Bank, Bart was Head of ICT Open Systems of Cera Investment Bank and Head of ICT Cell for Dealing Room.


• 13.00 : lunch


• 14.00 : GDPR practical implementation & integration, Erik Luysterborg, Deloitte

About : see earlier


• 14.30 : Technology Practioners Showcases : Risk-based Security Architecture for Data Protection, Christiane Peters, IBM

About : Dr. Christiane Peters works as Security Architect for IBM Security Services. In 2011, Christiane obtained a Ph.D. in cryptography from TU Eindhoven. After two years of post-doctoral research in the Denmark and the United States, she turned to more industry-oriented research and consulting on security for the smart grid.  At IBM, Christiane fills in the data security portfolio for Benelux with activities around privacy and data protection. This includes in particular an architectural approach to the GDPR, setting up a program to accomplish the necessary data protection capabilities.


• 15.00 : Legal Panel, identifying key challenges from a legal perspective, moderated by Nicolas and Ulrich
- Patrick Van Eecke, DLA
- Tanguy Van Overstraeten, Linklaters
- Florence de Villenfagne, ICTLex
- Hans Graux, Time.Lex

This panel will focus on some of the legal challenges, but with a focus on the business challenges. Some of the legal discussions will be taken further as part of the workshops organized by partner PrivacyHub. 

The GDPR has much stronger evidentiary requirements, but how are legal counsel helping their clients in gathering that evidence before the entry into force of the GDPR? The GDPR will require many organisations to have data protection officers. How do you expect this will impact your role as lawyers? Do you think you could be DPOs? Why or why not? Security obligations are liabilities are now much more equally split between controllers and processors. Is that a good thing? Do you think it will make a difference? The GDPR relies on the concept of ‘high risk’ a lot, e.g. for determining whether a PIA needs to be conducted or when a DPO is needed. Is that a workable concept for you? Do you feel you understand it? There’s been a lot of discussion about cross border data transfers, especially between the EU and the USA, and the old Safe Harbor is now being replaced by the Privacy Shield. Do you think that actually changes a lot in practice? The GDPR relies much more on operational practices than on paperwork, e.g. with the principles of privacy by design and privacy by default. Do lawyers have a role to play in assessing compliance with this principle? Fines for noncompliance will go up substantially. Do you think high fines (20 million EUR or 4% of worldwide turnover) will actually be issued, though? Do you think the higher fines were needed, or a good idea? We get more strict rules for consent now, including the fact that consent must be revocable, and that you can’t get consent from minors under a certain age. Do you think that’s a positive change? What difference will it make? How will the GDPR affect big data analysis and the development of the IoT in Europe? What legal requirements will be most problematic? Do you think European industry will be able to sort it out, or will we suffer a competitive disadvanExpertisee? Do you think there could be issues related to complex technologies for DPA' and legal counsel in respect to complete comprehension on privacy protection, such as complex encryption technologies, or are these irrelevant. Do you consider an issues of IPR protection in PIA’s? What other legal challenges and opportunities do you see coming ahead? (For instance to create order in contracts and documents, such as for consent, company wide)

About : 

Tanguy Van Overstraeten, LInklaters : Tanguy is Global Head of Linklaters’ Privacy and Data Protection Practice, Head of the TMT practice in Brussels and chairman of the Firm's Information System Board. Tanguy covers a wide range of matters, including data protection, outsourcing and computer-related transactions, telecommunications as well as e-business and Internet-related issues. With a strong corporate and commercial law expertise, his practice includes advisory and transactional work (M&A and joint venture) and the conduct of litigation. Tanguy is also Data Protection Issue Leader at the Digital Economy Committee of the American Chamber of Commerce to the EU and member of the Advisory Board of the International Association of Privacy Professional. He teaches privacy law at the Solvay Business School at the ULB

Patrick Van Eecke, DLA : Patrick Van Eecke has deep experience in e-commerce related legal issues such as data protection, electronic signatures, consumer protection and advertising. He advises telecommunication companies, internet service providers, software developers, governments and companies using IT related services.He is extensively involved in diverse consulting projects for the European Commission and several national governments. Patrick is Global Co-chair of the firm's e-business practice, steering its multijurisdictional e-business legal strategy. This entails focusing on internet law, data protection, e-commerce and e-government. He is also a domain names arbitrator for the Belgian Centre for Mediation and Arbitration (CEPINA) responsible for deciding on '.be' domain name disputes. Patrick is Head of the Internet law group.

Florence de Villenfagne is self-employed IT Law Consultant. Since 2012, Florence has been data protection expert performing personal data protection analyses to help companies identifying the personal data they process and respecting applicable DP Law. Prior to this, Florence was Head of Unit at FUNDP (Université de Namur), Research in IT Law - specialised in personal data protection. Until 2003 she was an Attorney at Law at the Brussels bar with Landwell.

Hans Graux (see above).


• 16.00 : Coffee Break & Networking


• 16.30 : Technology Practitioners Showcases Lars Putteneers, Sophos

About : Lars Putteneers has been with Sophos since 2015, as Sales Engineer working on various technologies including firewall, antivirus, encryption, wireless, MDM, global security. With this background and his experience in account management and keen technological interest, Lars assists Sophos partners and customers with deeper technological knowledge about the solutions they provide. Prioir to Sophos, Lars was with Mobile Access, Software Advies and Ordina Belgium.


• 17.00 : Advisory Panel :identifying key challenges from a practitioners perspective, moderated by Hans and Ulrich
- Laurie-Anne Bourdain (EY) Manager Cyber Security & Data Protection Lead
- Erik Luysterborg (Deloitte)  
- Kristof Dewulf (Cranium)
- Jan De Meyer (PWC), Director
- Nicolas Delcroix (RSM)

This panel will be focusing on the possible role advisory and technical consultants can play, whether to act solely from an audit or also advisory role? What are the typical roles they can enter into within an organization? Each organization will be having 3 min to present their methodology (maximum 1 slide). What do they consider as  International challenges and approaches? What ar e the typical challenges they're being confronted with? (Complementary question, starting with 1 and the others add up to it and don’t repeat the previous respondent). What are the priorities companies need to deal with in trying to comply to GDPR ? (Complementary question). What other types of regulatory frameworks and procedures could be applied?  GDPR only foresees in the definition on certification bodies: what will be the driving certifications?  Will the GDPR lead to a 'chain' of certified companies and is there is enough capacity in knowledge and expertise to face the challenge?
What are the tools, if any to support data subject demands such as data portability,... 

About : 

Kristof Dewulf is Business Unit Director at CRANIUM APPLIED PRIVACY NV, passionate consultant with over 10 years professional experience, specialized in data protection / privacy and cyber security management matters. with extensive knowledge of related (control) frameworks and experience in reporting to senior management. Kristof enjoys leading strategic data protection / privacy and cyber security projects and ensuring my team is delivering the highest quality. Eager for knowledge, continuously searching for and sharing information on these topics through blog articles, research and threat intelligence reports, peer discussions, presentations, etc ... Kristof recently joined Cranium after having been Senior Manager Cyber Security and Data Privacy at E&Y for over a decade. Earlier, Kristof was System Engineer at Dolmen, System Controller at Belgacom Mobile Proximus and System Engineer at Thomas Cook. 

Laurie-Anne Bourdain is Manager Cyber Security & Data Protection Lead at E&Y. Prior to E&Y, Laurie-Ann was Expert Process Manager IT Risk, Continuity & Security at ING Belgium and IT Process Manager Risk & Compliance at ING Belgium. She joined as Functional Analyst in 2008 after having been Web Application Developer at the Ecole des Mines de Paris (ISIGE), France

Jan De Meyer is Director at PWC with more than 15 years of experience in the field of information security. He specializes in enterprise security architecture and Identity and Access Management. Although he understands very well the technical details, he primarily looks at the process and organizational side of a project. In those positions, he performed multiple projects covering several security domains and diverse customers; from SMB to Multinationals, from private to public sector, from operational to strategic level, from data-center to board room. He joined Ascure in 2000 as IT security consultant and moved gradually to a leading consultant and director. In 2011 Ascure became a subsidiary of PwC Advisory Services, a member of the PwC Network.

Erik Luysterborg (see above)

Nicolas Delcroix (see above)

• 17.00 : Parallel Session : Technology Practioners Showcases, Patrick McLaughlin, Oracle

About : Patrick McLaughlin is an Oracle Fellow specialising in Information Security for Oracle across EMEA. He has over fifteen years experience in IT security. He is responsible for promoting Oracle's security offerings and enterprise solutions architecture, internally across the Oracle presales, sales and consulting, and externally with major customers and partners across EMEA. Most recently he has been working on security of Cloud, Mobile and Big data. Prior to this role Patrick was CTO at Baltimore Technologies, where he was product architect for Baltimore's PKI product and cryptographic toolkits. He also had responsibility for company R&D, technology partnering and working with lead customers in government and finance. Patrick has worked as an independent consultant for several years and has extensive experience in the distributed systems and telecoms management areas, having worked for Broadcom Éireann Research and Ericsson for ten years.


• 17.45 : Closing Notes by Willem Debeuckelaere, President of CBPL (

During the course of the day, the CBPL will have been debating in parallel about its future directions in 2017. Mr. Debeuckelaere will explain some of the decisions taken for the CBPL and its implications towards practioners and the implementation in Belgium of the GDPR. Some further directions will be given on important challenges and how the industry will be able to work together with the CBPL and what to expect of it, both in terms of advisory and in terms of policing. During the course of the day, CBPL personnel will be available and taking up some challenges and comments which were part of the panels and discussions. Some of these will be reacted upon by Mr. Debeuckelaere. 

About: Willem Debeuckelaere is law graduate of the University of Ghent, Belgium. He worked as a lawyer from 1977 till 1995. He was president of the “Human Rights League” from 1982 to 1989. He published on legal aid, constitutional and administrative law, privacy and data protection. He was head of the cabinet of the Belgian Minister of the Interior from 1995 till 1998. He was first nominated judge of the tribunal of first instance and subsequently, in 2002, counsellor of the Ghent Court of Appeal. He was Vice-President of the Belgian Commission for the Protection of Privacy from 2004 till March 2007. He has been President of this Commission since April 2007. 

The session will close with a short Q&A. 

• 18.30 : Closing reception.

• 19.30 : End of event


For the most recent updates and background information on developments and recommendations on the implications of the GDPR, please visit
Recent clarifications include : 


Session Materials:

Materials are now available for download. Attending to the event was free, but we charge a minor fee for the materials in order to ensure some income for the organization. As a non-profit organization, due to tax reasons, a small charge is asked to cater for the incurred costs. You will be transferred to and be asked to pay for 121 € (100 € excl, 21% VAT). You will be able to receive an invoice if you leave your company details and PO number. Once paid, you will receive a downloadlink to download the .zip with all materials. 


LSEC continues to support creating awareness on information security, will try to lower the barrier for ict security professionals. With this mechanism, all attendees have evaluated the value of the presented materials and can easily contribute to the future activities. 


Event location & Host of the Day: IBM 


Special Thanks to IBM for hosting this activity at their Innovation Center in Brussels:

IBM Client Innovation Center Brussels
Avenue du Bourget 42
1130 Bruxelles, Belgium

Registration is free of charge upon prior registration via the registration page, take note that seats are limited

LSEC for Security Professionals


LSEC for Security Companies


LSEC for enterprise & government


LSEC for academia & research institutes


Request information about LSEC Membership

Click here

Sign up for our newsletter

Click here

Learn more about current projects & industry collaborations

Click here

Contact us

Click here


Privacy | Disclaimer | Responsible Disclosure Copyright LSEC - Leaders In Security 2002 - 2017 - Kasteelpark 10, 3001 Heverlee - Leuven | tel. +