The Belgian Data Protection Authority (DPA) has significantly increased its enforcement activity in recent years. SMEs are no longer exempt: several recent investigations have targeted companies with fewer than 50 employees, with fines reaching tens of thousands of euros for technical shortcomings deemed avoidable.

The good news: most gaps identified during DPA inspections are detectable — and correctable — before an incident occurs. A structured cybersecurity audit is your first line of defence.

What the DPA actually inspects

Contrary to a common misconception, the DPA does not focus solely on privacy policies and consent forms. Technical inspections cover areas including:

Access management: who can access which data, with what privileges, and is this documented?
Encryption: are personal data encrypted at rest and in transit?
Traceability: do you maintain logs that allow you to trace who accessed what and when?
Subprocessor management: have you signed DPAs (Data Processing Agreements) with all service providers that process data on your behalf?
Data breach procedure: are you able to notify the DPA within 72 hours of detecting an incident?

These requirements are drawn directly from Article 32 of the GDPR, which mandates “appropriate technical and organisational measures” — a deliberately broad formulation that leaves room for interpretation, but relies on recognised standards such as ISO 27001 and CIS Controls.

The five most common gaps in Belgian SMEs

1. Password and authentication management

The majority of SMEs we audit still use shared passwords for critical access points (servers, line-of-business applications, admin email accounts). The absence of MFA (multi-factor authentication) on remote access is the most commonly sanctioned shortcoming.

Priority fix: deploy MFA on Microsoft 365 / Azure AD, VPN, and all RDP or SSH access exposed to the internet.

2. Lack of network segmentation

Do your production servers, user workstations and IoT devices (printers, cameras, access control systems) share the same network segment? A compromised printer can serve as an entry point to your data servers. VLAN segmentation is a baseline measure that remains absent in over 60% of the SMEs we assess.

3. Untested backups

Having backups is necessary but insufficient. The DPA and cyber insurers require regular, documented restore tests. We routinely encounter backups that have been silently failing for weeks, discovered only during an actual incident.

4. Non-existent personal data inventory

You cannot protect what you do not know you process. The processing register (Article 30 GDPR) is mandatory for any organisation with more than 250 employees, but strongly recommended for all SMEs. It must cover: what data, for what purpose, with what retention period, which recipients.

5. No incident response procedure

In the event of ransomware or a data breach, who in your organisation is responsible for what? What are the emergency contacts? What is the procedure for notifying the DPA? Without a documented process, reaction time triples and communication errors compound the impact.

How to structure your internal audit

An SME cybersecurity audit follows three phases:

Phase 1: Inventory (1 to 2 days)

Map all IT assets (servers, workstations, applications, cloud services), identify personal data being processed, list subprocessors with data access.

Phase 2: Risk assessment (2 to 3 days)

For each critical asset, assess the likelihood and impact of a compromise. Use a simple risk matrix (likelihood x impact) to prioritise corrective actions.

Phase 3: Prioritised remediation plan

A list of corrective actions ranked by priority (critical / high / medium), with effort and cost estimates for each measure. This document becomes your cybersecurity roadmap for the next 12 months.

Minimum technical measures

Regardless of your audit results, certain measures must be in place at any SME that processes personal data:

MFA enabled on all Microsoft 365 accounts and remote access
Full-disk encryption on all workstations (BitLocker / FileVault)
3-2-1 backup policy: 3 copies, on 2 different media, with 1 offsite
Security patches applied within 30 days of publication
Antivirus/EDR deployed and centrally managed across all endpoints
Login logs retained for a minimum of 6 months

These measures do not guarantee full GDPR compliance, but they constitute the baseline that any auditor or insurer will consider the expected minimum.

ITOPS.be: your partner for audit and remediation

We conduct GDPR cybersecurity audits for Belgian SMEs of 20 to 250 employees. Our approach combines technical assessment (vulnerability scanning, targeted penetration testing, configuration analysis) and organisational assessment (policies, procedures, team training).

Following the audit, you receive a clear report with prioritised, costed recommendations — not an incomprehensible 200-page document, but a realistic action plan tailored to the size and resources of your organisation.