The new European privacy legislation has been in place since 25 May 2016: the General Data Protection Regulation (GDPR). This also has consequences for higher education and research. Institutions have to respond well on time and SURF helps them do this.
Compliance and frameworks of standards
How can an institution comply with the new GDPR and what does it need in this regard? SURF has worked with the institutions to draw up a number of documents that will help the institutions to achieve this. They are a specific interpretation of the obligations from the GDPR and often also offer explanations.
SURF Legal Standards Framework for (Cloud) Services
The SURF Legal Standards Framework for (Cloud) Services describes the standards for privacy, confidentiality, availability and ownership of information. Institutions can use this document as a basis for their agreements with their (cloud) suppliers. The new GDPR-compliant Processor agreement was published in October 2017. This standards framework also offers guidance on security measures and audit obligations.
All documents related to the SURF Legal Standards Framework for (Cloud) Services are available on this page.
- The GDPR also states that data leaks must be reported to the Data Protection Authority within 72 hours. The Step-by-step plan on the mandatory reporting of data leaks (pdf, in Dutch) describes what data leaks are and how you can set up your institution to include a data breach reporting procedure.
- The Landelijk Coördinatiepunt Research Data Management can provide assistance to institutions that collect data for research purposes.
GDPR and education assessment framework
A GDPR testing framework may be helpful to make it clear and verifiable what the GDPR provisions actually mean for institutions. Specific organisational measures can be devised based on the law's standards. A testing framework helps institutions to see where they stand in terms of GDPR implementation. SURF is working on such a testing framework.
The framework and the baseline prepared for the NFU (collaboration of teaching hospitals) are used as a basis for the documents. This basis is adjusted: specific medical regulations are removed and regulations on education and research may be added.
The delivery of the standards framework is expected in April 2018, when it will also become part of SURFaudit. It will become available in the SURFaudit tool as well in the course of Q2 2018.