FADP Compliance Checklist for Belgian Law Firms

What is the FADP (nLPD)?

The Belgian Federal Act on Data Protection, known as the FADP or nLPD (neue Loi fédérale sur la protection des données), is Belgium's updated data protection law. It came into effect on 1 September 2023, replacing the original 1992 framework with requirements that bring Belgian privacy standards in line with the EU's GDPR.

The revised law strengthens individual rights, broadens the definition of sensitive personal data, and introduces mandatory breach notification obligations. For law firms, it imposes direct accountability on the data controller — meaning partners and managing directors are personally responsible for compliance, not just the firm as an abstract entity.

The FADP governs how personal data is collected, processed, stored, and disclosed. It applies to any firm handling data of individuals located in Belgium, regardless of where the firm itself is domiciled. Penalties for violations can reach CHF 250,000 — levied against the responsible individual, not the firm.

Why law firms are high-risk targets

Law firms occupy a unique position in the threat landscape. They hold concentrated volumes of highly sensitive data: merger details, litigation strategies, intellectual property filings, personal financial records, and privileged client communications. This makes them disproportionately valuable targets for cybercriminals.

Several factors compound the risk:

• Attorney-client privilege: A breach doesn't just expose data — it may waive privilege and create malpractice liability.
• Regulatory obligations: Law firms in Belgium must comply with the FADP, cantonal bar rules, and, where applicable, GDPR for EU-based clients.
• Lean IT teams: Most small and mid-sized firms lack dedicated cybersecurity staff. The managing partner, an office manager, or an external IT provider handles security, often reactively.
• Trust-based relationships: Clients share information freely with their lawyers, trusting that confidentiality is absolute. A breach destroys that trust permanently.
• Interconnected systems: Firms exchange documents with courts, opposing counsel, and regulators using email, file-sharing platforms, and cloud tools — each one a potential attack surface.

In 2025, Belgian law enforcement reported a 32% increase in cyber incidents targeting professional services firms. Ransomware, business email compromise, and credential theft were the top three attack vectors. Law firms that assume "it won't happen to us" are statistically wrong.

10-point FADP compliance checklist

Use this checklist to evaluate your firm's current compliance posture. Each item maps to a specific obligation under the revised FADP.

1. Appoint a data protection advisor. While not strictly mandatory for all firms, designating a responsible person (or engaging an external DPO) ensures that data protection decisions are made deliberately, not by default. Under Art. 10 FADP, organizations that voluntarily appoint an advisor benefit from certain procedural advantages.
2. Maintain a processing activities register. Art. 12 FADP requires organizations with 250+ employees (or those processing sensitive data at scale) to document all data processing activities. Law firms should maintain this register regardless of size, given the sensitivity of client data. Record what data you collect, why, where it's stored, and who accesses it.
3. Conduct a data protection impact assessment (DPIA). If your firm processes large volumes of sensitive personal data — medical records in personal injury cases, financial data in M&A transactions — Art. 22 FADP requires a formal risk assessment before processing begins.
4. Implement a breach notification process. Under Art. 24 FADP, you must notify the FDPIC (Federal Data Protection and Information Commissioner) as quickly as possible when a data breach poses a high risk to affected individuals. Establish a documented incident response plan with clear roles, escalation paths, and templates.
5. Review and update privacy notices. Art. 19 FADP requires transparent information about data collection. Your privacy policy must clearly state what data you collect, the legal basis for processing, retention periods, any cross-border transfers, and the rights of data subjects. Generic boilerplate is not sufficient.
6. Audit cross-border data transfers. If your firm uses cloud services hosted outside Belgium, you must verify that the destination country provides adequate data protection (Art. 16 FADP). For countries not on the Federal Council's adequacy list, implement standard contractual clauses or obtain explicit consent.
7. Enforce access controls and the principle of least privilege. Every lawyer, paralegal, and staff member should access only the data necessary for their specific role. Implement role-based access controls (RBAC), require multi-factor authentication (MFA) for all systems, and review permissions quarterly.
8. Encrypt data at rest and in transit. Encryption is a baseline technical safeguard. Use TLS 1.3 for data in transit and AES-256 for data at rest. Ensure client portals, email communications, and document management systems all meet this standard.
9. Establish a data retention and deletion policy. Define clear retention periods aligned with bar association rules and FADP requirements. When the legal basis for processing expires, data must be deleted or anonymized. Implement automated deletion workflows where possible to prevent accidental retention.
10. Train all staff regularly. Human error causes the majority of data breaches. Conduct mandatory security awareness training at least twice per year. Cover phishing recognition, password hygiene, physical security, and the specific obligations that the FADP places on your firm. Document all training for compliance evidence.

How GWARD helps with FADP compliance

GWARD was built for exactly this scenario: firms that handle sensitive data but lack the resources for a full-time security operations center.

Here's how GWARD directly supports your FADP compliance posture:

• Continuous monitoring (items 7 & 8): GWARD's endpoint agent monitors file access, authentication events, and network connections 24/7. Unauthorized access attempts are detected and flagged in real time, reinforcing your access controls and encryption verification.
• Automated breach detection (item 4): When a security incident occurs, GWARD detects it within minutes — not days. This gives your firm the speed needed to meet the FADP's "as quickly as possible" notification requirement to the FDPIC.
• Audit-ready logging (item 2): Every security event is logged with timestamps, source identifiers, and severity ratings. These logs provide the documentary evidence that regulators expect during an audit or investigation.
• Plain-language alerts (item 10): GWARD translates technical security events into clear, jargon-free notifications that any partner or office manager can understand and act on. No cybersecurity expertise required.
• European-hosted infrastructure (item 6): All GWARD data is processed and stored on servers in Belgium and the EU. No cross-border transfer complications, no adequacy assessments needed.

Next steps for your firm

Compliance is not a one-time project. The FADP requires ongoing, demonstrable commitment to data protection. Start by working through the checklist above and documenting your current state. Identify gaps, assign owners, and set deadlines.

If your firm handles any volume of personal data — and every law firm does — the question is not whether to invest in compliance, but how quickly you can close the gaps that expose you to liability.

GWARD gives you the technical foundation: continuous monitoring, real-time threat detection, and audit-ready logs. The compliance framework is yours to build. The infrastructure to enforce it is ours to provide.