Priorities include a focus on sectors as telecom and media, public sector, direct marketing sector, education and SMB (KMO/PME). This does not mean they are in line for more enforcement, but rather for support and help. Other points of action relate to the GDPR implementation cycle and proactive attention to societal challenges. While requesting funding to hire more people, David Stevens strongly supports cooperation with platforms such as the Cyber Security Coalition, as “we cannot do it all by ourselves.”

A GDPR compliance challenge was highlighted by Roeland Lembrechts’ “Shadow IT and GDPR” presentation (Sirius.Legal). Shadow IT includes all ‘non-ICT approved’ information technology used by employees. Uncertainties regarding GDPR compliance leave employers open to privacy infringements, as they remain ultimately liable as controller. Exceptions are very few, including the employee becoming controller through data processing on his or her own initiative, or liable because of fraud or negligence. His advice: embrace shadow IT, clear up the shadow and provide good policy, participate by buying into it, as well as monitor and manage.