The new European privacy legislation has been in place since 25 May 2016: the General Data Protection Regulation (GDPR). This also has consequences for higher education and research. Institutions have to respond well on time and SURF helps them do this.
Duty to report data breaches
The Personal Data Protection Act was amended on 1 January 2016. On that date, a notification obligation for data leaks was added. A manual on this notification obligation with a step-by-step plan and FAQ section was created.
High fines for non-compliance with the notification obligation
The notification obligation requires that in some cases a breach of security measures involving personal data must be reported to the Dutch Data Protection Authority (formerly the Dutch DPA) and the data subject(s). Fines can run up to EUR 820,000.
Step-by-step plan and FAQ section
SURFnet has outsourced this work package to Project Moore solicitors. They have drawn up a concise manual specifically for higher education institutions with a step-by-step plan. This step-by-step plan allows institutions to take measures to prevent data leaks and to act appropriately in case of a data leak. The manual also contains a FAQ section. The manual was completed in June 2014 and was updated in June 2018.
Deliverables and planning
- Step-by-step plan and FAQ section: updated version of June 2018 (in Dutch)
- Information on the duty to report data breaches by the 'Autoriteit Persoonsgegevens' (in Dutch)