BDPA publishes draft strategic plan for 2026–2028

The Belgian Data Protection Authority (BDPA) has recently released the draft of its Strategic Plan for 2026–2028. This strategy presents the BDPA’s objectives and priorities for the upcoming years. Drawing on seven years of operational experience, the BDPA reviews its activities and incorporates insights gained from previous challenges and errors. These lessons learned serve as a foundation for a more pragmatic and efficient approach moving forward.

One of the primary challenges moving forward is the rapid pace of technological advancements in Artificial Intelligence (AI), alongside the notable rise in both the volume and complexity of cases. In 2024, the BDPA processed over 3,000 cases. Additionally, the Parliamentary Committee for Budgetary Control implemented a recruitment freeze, “_in principle until 2029_”, indicating that the BDPA cannot automatically rely on increased staffing levels. This restriction persists despite the fact that the BDPA will assume supervisory responsibilities under a broad spectrum of new European legislation—the so-called ‘Digital Rulebook’—which includes the AI Act, the Data Act, the Digital Services Act, the Data Governance Act, and the European Health Data Space (EHDS).

To address these challenges, the BDPA focuses its strategy on two main principles: prioritisation and cooperation.

The BDPA intends to reinforce its role as watchdog and information hub. This entails:

• a stronger focus on informing and raising awareness among citizens, DPOs, organisations, and others through targeted communication campaigns and a proactive media strategy;
• close monitoring and in-depth understanding of technological, economic and societal developments, accompanied by timely recommendations; and
• an increased emphasis on mediation and proactive inspections.

The BDPA is adopting modern tools, including AI applications, to improve quality and efficiency. The five directors oversee effective task allocation.

Due to limited resources and rising cases, the BDPA will introduce a prioritisation policy to allocate resources more effectively. This involves reforming its tasks and processes and establishing a clear substantive focus.

Tasks and processes

The operational model restructuring will include:

• shifting from responding to individual information requests to developing broader-impact information channels;
• resolving suitable complaints through low-threshold mediation via the First Line Service to address disputes early with minimal procedures; and
• reforming the internal complaints process to focus on proactive enforcement. The Inspection Service will prioritize cases with significant societal impact, while the Litigation Chamber will concentrate on well-prepared, high-stakes cases for quality decisions.

With this approach, the BDPA aims to increase capacity for proactive enforcement, better decisions, closer appeal follow-up, and effective implementation of European legislation, leading to stronger data protection. Additionally, the BDPA plans to streamline personal data breach management with a new case-management system.

Substantive focus: where will the emphasis lie?

In the coming years, the BDPA will focus on two (2) priority themes:

• large-scale data processing operations that may pose high risks to data subjects’ rights and freedoms, such as the processing of health data, profiling in the financial and insurance sectors, registration systems in medical practices, and large government databases; and
• processing of personal data of minors, given their heightened vulnerability in the digital environment, where their data are continuously collected and monitored.

The BDPA remains committed to strengthening its partnerships, acknowledging that collaboration is essential within the complex regulatory environment.

Its primary responsibilities are centred on participation in the EDPB, where it plays an integral role in shaping European guidelines and addressing cross-border cases, contributing to the development of a consistent data protection framework. Each directorate will designate representatives to further enhance European cooperation.

Moreover, the BDPA intends to reinforce its collaborative efforts with federal and, where applicable, regional supervisory authorities. Additional cooperation protocols are being formulated with regulators such as the Belgian Competition Authority (BCA) regarding the Digital Markets Act and BELAC, the Belgian accreditation body, as well as through increased engagement on matters related to the AI Act and the Digital Services Act, ensuring robust and harmonised oversight of data protection.

The BDPA will continue to provide proactive advice to legislators, identifying emerging trends, risks, and regulatory challenges, thereby supporting the development of practical and effective legal frameworks.

The BDPA’s new strategy means companies will face stricter inspections, especially for large-scale data processing, due to proactive supervision and tighter priorities. With the BDPA no longer answering individual queries, organizations must take greater responsibility for up-to-date compliance. Compliance is more important than ever.

We will continue to monitor updates on the BDPA’s strategic plan. For questions about recent data protection developments, contact Lydian’s Information Governance and Data Protection (Privacy) team.