inqase
Estimate my premium
guides

GDPR and Cyberattack: Belgian SME Obligations

Par InQase Team

GDPR applies to all Belgian companies

If you handle personal data (customer names, emails, addresses), you’re subject to GDPR, regardless of company size. A cyberattack triggers specific legal obligations you must fulfill to avoid sanctions.

The 72-hour notification rule

When notification is required

You must notify the Data Protection Authority (DPA) within 72 hours if the breach:

  • Involves personal data (GDPR scope)
  • Presents a risk to individuals’ rights and freedoms
  • Affects data integrity, confidentiality, or availability

What to report

Minimum information required:

  1. Nature of the breach (ransomware, phishing, etc.)
  2. Categories and approximate number of affected individuals
  3. Likely consequences for data subjects
  4. Measures taken or proposed to address the breach
  5. Contact point for further information

Belgian DPA contact: commission@apd-gba.be

Exemptions

Notification not required if:

  • Breach unlikely to result in risk to rights and freedoms
  • Technical measures (encryption) render data unintelligible
  • Subsequent measures eliminate the risk

Notifying affected individuals

Direct notification required when

The breach is likely to result in high risk to individuals:

  • Identity theft potential
  • Financial fraud risk
  • Discrimination or reputational damage
  • Loss of confidentiality of special category data
  • Significant economic or social disadvantage

Notification content

Must include in clear language:

  • Description of the data breach
  • Contact point for questions
  • Likely consequences
  • Measures taken to address the breach
  • Recommendations for individuals (password changes, etc.)

Exemptions from individual notification

Not required if:

  • Data was encrypted (technically protected)
  • Post-breach measures eliminate high risk
  • Disproportionate effort (unknown contacts), must use public communication instead

GDPR sanctions and fines

Penalty structure

Administrative fines up to:

  • €10 million or 2% of annual global turnover (whichever higher)
  • €20 million or 4% of annual global turnover (serious violations)

SME-specific considerations

Belgian DPA approach for SMEs:

  • Proportionality principle applied
  • First-time violations: Often warnings rather than fines
  • Good faith efforts: Mitigating factor
  • Resources and size: Considered in penalty calculation

Recent Belgian cases

CompanySectorViolationFine
SME AHealthcareInadequate security€50,000
SME BRetailLate notification (5 days)€15,000
SME CServicesNo data inventory€25,000

Average SME fine in Belgium: €20,000-75,000

Documentation requirements

What to keep

Breach register must record:

  • Date and time of discovery
  • Circumstances of the breach
  • Data categories affected
  • Approximate number of individuals
  • Notifications made (DPA, individuals)
  • Actions taken to mitigate
  • Lessons learned

Retention: Indefinite (evidence of compliance)

Evidence preservation

Critical for defense:

  • System logs (pre and post-incident)
  • Email communications
  • Incident response timeline
  • Expert reports (forensics)
  • Remediation measures implemented

Cyber insurance and GDPR coverage

What InQase covers

Legal obligations: ✅ DPA notification costs ✅ Individual notification (letters, call center) ✅ Legal counsel for regulatory response ✅ Data Protection Officer consultation ✅ Crisis communication/PR

Financial protection: ✅ GDPR fines (where insurable under Belgian law) ✅ Regulatory defense costs ✅ Third-party claims from data subjects ✅ Remediation costs

Limitations: ❌ Criminal fines (uninsurable) ❌ Penalties for intentional violations ❌ Fines from pre-existing breaches

Real case support

Belgian medical practice incident:

  • 2,000 patient records breached
  • Notification requirements: DPA + individuals
  • InQase provided:
    • Legal counsel (GDPR compliance)
    • Notification logistics (letters + call center)
    • DPA liaison support
    • PR strategy

Total notification costs: €18,000 Insurance coverage: €17,500 DPA outcome: No fine (proper handling demonstrated)

Best practices for compliance

Pre-incident preparation

  1. Data mapping: Know what personal data you hold
  2. Risk assessment: Identify high-risk processing
  3. Security measures: Implement appropriate safeguards
  4. Incident response plan: Include GDPR notification procedures
  5. Staff training: Everyone knows breach reporting duties

During incident response

  1. Immediate assessment: Is personal data involved?
  2. Risk evaluation: Likelihood of harm to individuals?
  3. Legal consultation: Call InQase hotline for GDPR guidance
  4. Evidence preservation: Document everything
  5. 72-hour clock: Starts when breach discovered, not when confirmed

Post-incident actions

  1. Internal review: What went wrong?
  2. Process improvements: Update policies and procedures
  3. Training updates: Share lessons with team
  4. Technology enhancement: Implement preventive measures
  5. Monitoring: Increased vigilance period

NIS2 directive additional requirements

Applicability to Belgian SMEs

NIS2 scope (from Oct 2024):

  • Essential entities: >50 employees or >€10M revenue in critical sectors
  • Important entities: Same thresholds in important sectors

Critical sectors include:

  • Healthcare
  • Digital infrastructure
  • Financial services
  • Energy, transport
  • Public administration

Additional obligations

Beyond GDPR:

  • 24-hour incident notification (to CSIRT)
  • Cybersecurity risk management measures
  • Supply chain security requirements
  • Management accountability

Penalties: Up to €10M or 2% of global turnover

InQase NIS2 support

For NIS2-subject companies:

  • Compliance gap analysis
  • Incident notification assistance
  • Documentation templates
  • Management training
  • CSIRT liaison

Sector-specific considerations

Healthcare

Special category data: Health information requires extra care

  • Higher breach notification threshold often met
  • Professional secrecy obligations
  • APD healthcare guidance must be followed

Financial services

Dual reporting:

  • GDPR (DPA) AND
  • Financial sector regulator (NBB/FSMA)

E-commerce

Payment data: PCI-DSS AND GDPR obligations

  • Payment processor notification
  • Bank/card scheme notification
  • Customer notification (high risk)

Legal/Accounting

Professional secrecy: Additional confidentiality duties

  • Bar association notification (lawyers)
  • Professional association (accountants)
  • Enhanced care expectations

Conclusion

GDPR obligations after a cyberattack are complex but manageable with proper preparation. The 72-hour notification deadline requires immediate action, having an incident response plan and cyber insurance with GDPR coverage is essential.

InQase cyber insurance includes comprehensive GDPR support:

  • Legal expertise (FSMA-registered broker)
  • Notification logistics (cost covered)
  • Regulatory liaison
  • Documentation assistance
  • 24/7 emergency guidance

Don’t navigate GDPR compliance alone after an incident. Contact InQase for protection and expert support.