General Data Protection Regulation (GDPR)

The new European privacy legislation has been in place since 25 May 2016: the General Data Protection Regulation (GDPR). This also has consequences for higher education and research. Institutions have to respond well on time and SURF helps them do this.

AVG verordening

New privacy legislation: significant consequences

The new privacy legislation, the GDPR, has been developed at European level since 2012.  This regulation was officially published and a 2-year implementation period started in May 2016. This means that from 26 May 2018, everyone processing personal data in Europe must comply with this regulation. The current Dutch personal data legislation, the Personal Data Protection Act, will no longer be in effect from that date. There are therefore many changes in terms of privacy legislation, and it is up to the institutions to respond in a timely manner.

Starting points for the new regulation

The GDPR contains rules on the handling of personal data, which are the same for all organisations throughout the EU. The purpose of the regulation is to require careful processing of personal data in order to protect the privacy of data subjects and their data. Organisations must also make it clear to data subjects why and for what purpose personal data are collected, used, consulted or processed in any another way.

The GDPR follows a number of basic principles, such as lawfulness, due diligence, transparency, confidentiality, integrity and data minimisation. These principles are also reflected in the Dutch Personal Data Protection Act and are therefore already applicable law, but the GDPR imposes stricter requirements on the implementation and requires more documentation and justification from organisations in this regard. You can read more about the principles of the GDPR between the Dutch Personal Data Protection Act and the GDPR (in Dutch) on the special Wiki page.

SURF helps with GDPR preparation

The new regulation has many consequences for education institutions. SURF has therefore been working on the GDPR with the institutions since 2015. We share knowledge about the law, but we also draw up guidelines and recommendations. The following diagram shows all activities and links to more information about the different themes:

GDPR knowledge transfer

Compliance and frameworks of standards

Impact and risk assessment

Privacy by design and privacy by default

SURF services

overzicht van alle projecten rondom de AVG bij SURF