New privacy legislation: significant consequences
The new privacy legislation, the GDPR, has been developed at European level since 2012. This regulation was officially published and a 2-year implementation period started in May 2016. This means that from 26 May 2018, everyone processing personal data in Europe must comply with this regulation. The current Dutch personal data legislation, the Personal Data Protection Act, will no longer be in effect from that date. There are therefore many changes in terms of privacy legislation, and it is up to the institutions to respond in a timely manner.
Starting points for the new regulation
The GDPR contains rules on the handling of personal data, which are the same for all organisations throughout the EU. The purpose of the regulation is to require careful processing of personal data in order to protect the privacy of data subjects and their data. Organisations must also make it clear to data subjects why and for what purpose personal data are collected, used, consulted or processed in any another way.
The GDPR follows a number of basic principles, such as lawfulness, due diligence, transparency, confidentiality, integrity and data minimisation. These principles are also reflected in the Dutch Personal Data Protection Act and are therefore already applicable law, but the GDPR imposes stricter requirements on the implementation and requires more documentation and justification from organisations in this regard. You can read more about the principles of the GDPR between the Dutch Personal Data Protection Act and the GDPR (in Dutch) on the special Wiki page.
SURF helps with GDPR preparation
The new regulation has many consequences for education institutions. SURF has therefore been working on the GDPR with the institutions since 2015. We share knowledge about the law, but we also draw up guidelines and recommendations. The following diagram shows all activities and links to more information about the different themes: