GDPR

What does the DPA's 2026-2028 strategic plan teach us?

Joris Deene
1 week ago
153 views
8 minutes reading time

The Data Protection Authority (DPA) has published its draft strategic plan for 2026-2028 . The DPA is struggling with an increasing number of cases and a wave of new, complex European legislation, but is at the same time facing a recruitment freeze. The proposed strategy is therefore a clear choice: the DPA will no longer disperse its resources and resolutely opts for prioritization and cooperation. For citizens and businesses, this represents a major shift: expect less individual support and more proactive, targeted enforcement on strategic themes.

This strategy is currently a draft open for public consultation. Both citizens and organizations can provide their feedback on the proposed direction through Nov. 19, 2025.

Why this change in direction? The DPA under pressure

The DPA operates in what it itself describes as a “budget challenging context”. The urge to prioritize does not come out of the blue, but is a direct response to a “tripartite challenge” that makes normal operation untenable.

1. Rising and more complex cases

The DPA sees the number of current cases increase year after year. The table in the plan shows a marked increase in complaints, data breach reports (breaches) and advisory requests, among others. At the same time, cases are becoming more substantively complex due to rapid technological developments.

2. A ‘tsunami’ of new EU legislation

In addition to the General Data Protection Regulation (GDPR) the DPA must play a supervisory role in a whole series of new European rules, known as the ‘Digital Rulebook’. The plan lists an impressive list , including:

These new tasks are in addition to the existing workload.

3. A hard recruitment freeze

To handle these growing and more complex tasks, the DPA “cannot automatically count on additional staff.”. The plan is very explicit in this: there is a hiring freeze (appropriations for additional staff are “in principle denied”) that runs “in principle through 2029”.

The DPA itself concludes that it too often operates “under the pressure of an unpredictable and sometimes even unmanageable influx of cases.” The new strategy should break through this. The clear message is: “The DPA must be able to lead.”.

The core of the strategy: prioritization in two axes

To “maximize” its resources , the DPA will base its choices on two axes: a reform of its tasks and processes, and a sharp substantive focus.

Axis 1: a radical reform of core functions

This is where citizens and organizations will feel the change most strongly. The DPA will accomplish certain mandatory tasks “in a different way"..

Information questions: “self-reliance” becomes the norm

The DPA stops systematically tailoring its response to the thousands of individual information requests it receives each year (over 3,000 by 2024).

  • The motivation: It is impossible and involves “no legal obligation” to answer every question in a customized manner.
  • The new approach: The DPA puts maximum effort into empowerment: citizens and DPOs (Data Protection Officers) must be able to apply the rules themselves. This is done through clear information on the website (FAQs, checklists, videos).
  • What happens to your question? Individual questions will “no longer be answered from now on,” but will serve as “signals” to improve the overall provision of information.
  • The advantage: This shift should free up capacity for the First Line Service to strengthen its role as a mediator.

Complaints: mediation first, sanctions for severe cases

The DPA acknowledges that complaint handling is a “major challenge” that complicates proactive work . However, she has a “margin of discretion” and will deploy them as follows:

  • New standard: Complaints that lend themselves to this will be handled “maximally” through mediation by the First Line Service.
  • Objective: Simple disputes “resolved early and pragmatically” with “minimal procedural burden.”.
  • Methods: These can range from “norm-transfer letters” (explaining the rules) to “constructive dialogues.”.
  • Consequence: This significantly strengthens the role of the First Line Service.

Enforcement: focus on “strategic files”

The DPA wants to move toward a “more proactive enforcement policy” that is “less complaint-driven”.

  • Inspection Service: It will devote its resources to “cases with a high social impact (strategic cases).” Non-priority cases will be dealt with “at a low level,” for example, “following regularization during the investigation.”.
  • Litigation Chamber: With fewer but better prepared cases flowing through, the LItigation Chamber can focus on “even more quality decisions” in those strategic cases.
  • Important nuance: This does not mean the end of sanctions. Fines and corrective measures remain an “important option,” but will stand alongside other solutions.

Opinions: impact-based triage

When the DPA is asked for advice (e.g. on new draft legislation), it will triage.

  • Specific tailored advice will only continue to be provided “where there is genuine added value and/or where there is significant interference with the rights and freedoms of citizens.”.
  • In “other cases,” the DPA may grant a standard opinion with general guidelines.
  • This should free up capacity to make more general recommendations, preferably at the level of the EDPB.

Data breaches and Codes of Conduct

  • Data breaches: The DPA is opting for a “higher degree of prioritization” , supported by a new case management system. Again, the focus is on infractions “with high societal impact.”.
  • Codes of conduct: The DPA will “strictly ... guard” that it only invests significant resources in draft codes of conduct that provide “real added value” and do not “duplicate the provisions of the GDPR.”.

Axis 2: substantive focus on two high-risk themes

The capacity released will be proactively deployed on two substantive priorities. If your organization operates in any of these areas, you will be high on the radar for the next three years.

Priority 1: large-scale high-risk data processing operations

The DPA targets “both private and public sector” processing operations that “potentially pose a high risk to the rights and freedoms of data subjects”. The plan itself provides very specific examples:

  • Health sector: “the processing of health data by hospitals and healthcare networks” and “registration systems at e.g. ... general practitioners.”.
  • Financial sector: “profiling in the banking and insurance sector”.
  • Public Sector: “databases at tax authorities”.
  • Data trading: “advertising technologies and other large-scale processing by data brokers.”.

Priority 2: processing of personal data of minors

The DPA considers minors a “vulnerable group”.

  • Reality: Their data is “continuously ... collected, shared and analyzed -often without being aware of the implications.”.
  • The dual purpose: The DPA aims not only to protect them in a targeted way , but also to inform and sensitize them so that they themselves develop appropriate reflexes (empowerment).

The second spearhead: continued collaboration

The DPA recognizes that it does not operate alone in a “complex regulatory landscape”. The second lever, besides prioritization, is “collaboration”.

  1. European level (EDPB): This is its “most important role” and of “great strategic importance.” The EDPB sets “common European guidelines” and deals with “important cross-border dossiers.” Here, the DPA wants to position itself as an “active and reliable European partner.”.
  2. National level (other regulators): Data protection is “less and less distinguishable as a ‘separate discipline’”. This requires a “holistic approach.” Specifically, cooperation protocols are in preparation with the BCA (on the Digital Markets Act), Belac (on certification) and the BIPT (regarding the AI-Act, DSA and Data-Act).
  3. The Legislature: The GBA also aims to proactively “identify trends, risks and gaps ... in regulations” to legislative bodies.

Conclusion: What does this mean for your organization?

This strategic plan is an important signal. The DPA is transforming from a reactive, complaint-driven administration to a proactive, risk-based regulator in Belgium.

  1. Your opinion counts (now): The GBA invites you to comment on this draft plan. You can review the draft strategic plan and send your feedback through Wednesday, Nov. 19, to strategie@apd-gba.be.
  2. Accountability becomes crucial: Now that the DPA stops systematically answering individual questions, the “accountability” of you as an organization becomes even more important. You must demonstrate yourself that you are following the rules and can no longer rely on the DPA as a help desk.
  3. Risk of audit increases in priority sectors: The bad news is that if your organization operates in healthcare, finance, ad-tech, or processes data of minors , the risk of a proactive audit has increased significantly in the coming years.
  4. Mediation as opportunity: The good news is that the strong focus on mediation for simple disputes presents an opportunity. It allows cases to be resolved “quickly and pragmatically” without immediately escalating to a heavy investigation and sanction.
Do you have questions about the impact of this strategic plan on your organization? Or would you like to have your current data processing audited in light of these new priorities? Our attorneys specializing in data protection and the GDPR are ready to analyze your case. Feel free to contact us for an initial advice.

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics