What are you looking for?

Most searched:

Most searched:

Improved accessibility mode

SURF strives for a website that is accessible to everyone. We are working on a full accessibility mode.
Hal van hogeschool windesheim waar studenten werken en lopen
Magazine

DPIA: education and supplier working on privacy

Educational institutions are required by privacy law (GDPR) to carry out DPIAs (Data Protection Impact Assessments). Working together with SURF offers many advantages in this regard. To SURF's surprise, Xedule, a timetable software supplier widely used in vocational education, approached SURF itself with a request to organise a DPIA. In doing so, the supplier initiated a broad collaboration and increased awareness of privacy and information security.

DPIAs provide educational institutions, software suppliers and the government with insight into privacy risks when processing personal data. If the report identifies any points of concern, the institution concerned must take measures to minimise the risks. The initiative for the DPIAs lies with the educational institutions, but a major problem is that there is often little capacity and specialist knowledge available to complete this time-consuming task.

Benefiting from experience

Niels Dutij

Niels Dutij

“In fact, everyone is constantly reinventing the wheel,” says Niels Dutij, advisor to the Cyber Security programme at MBO Digitaal and data protection officer at various vocational colleges. “This could be done much more efficiently. That is why it is extremely valuable that these kinds of processes are being tackled on a sectoral basis.”

SURF developed the Vendor Compliance service in response to this demand from the education sector. It now has extensive experience in conducting DPIAs. In line with Dutij's experiences, SURF publishes its findings report – which is also an advisory report – publicly. This allows other organisations to benefit from it as well.

“By conducting a DPIA jointly, you can give the supplier a single standard for what you expect as a sector”
Niels Dutij

A single standard for expectations

The report serves as advice for institutions, which remain responsible for their own organisation-specific DPIA. According to Dutij, SURF's Vendor Compliance service does more than just establish a DPIA. It also gives substance to many open standards from the GDPR, and thus provides advice on appropriate security. One example is the recommendation to include the monitoring of read rights via logging as standard. 

An additional advantage for software suppliers is that their customers speak with one voice, according to Dutij. “If all institutions individually communicate their requirements and wishes to a supplier based on their own interpretation of the GDPR, that can be quite difficult. Because who do you agree with? By doing it together, you can give the supplier a single standard for what you expect as a sector. This way, suppliers know better where they stand, and it gives schools clarity about what is and is not available.”

Supplier requests cross-sector DPIA

Karin Kuster

Karin Kuster

Although DPIA requests usually come from institutions, scheduling software provider Xedule approached SURF itself with a request to carry out a cross-sector DPIA. “In my experience, educational institutions often don't get around to doing a DPIA,” says Karin Kuster, Managing Director of Xedule, part of the Norwegian software holding company Visma. “But it's a shame if such a DPIA isn't done properly.” She explains that privacy and information security have been a top priority at the head office for years, with significant investment in this area.

With this in mind, Xedule felt it was a logical step to request a DPIA itself. Kuster adds: “The responsibility lies with the schools, but also with us as a supplier. So we are happy to tackle this together.” At the start of the DPIA process with SURF, Kuster expected that concrete areas for improvement would emerge. Ultimately, 18 risks were identified, 17 of which were classified as 'high' and one as 'medium'. Based on these findings, measures were identified to mitigate the risks and agreements were made about their implementation.

Regular updates on areas for improvement

Kuster: “It doesn't stop with this report. We are committed to providing regular updates on the progress of the areas for improvement. Privacy is a continuous process in which we proactively involve our customers.”

Walter van Hest

Walter van Hest

Walter van Hest, Information & Security Manager at Xedule, says: “Precisely because we requested this investigation ourselves, we were able to integrate the results directly into our development cycle. Many of the administrative issues were resolved immediately. The technical improvements are now at the heart of our roadmap. We are not doing this behind the scenes, but in close consultation with the institutions.”

The DPIA therefore turned out favourably for Xedule. Risks did emerge, but they could be mitigated. If risks had been found that could not be mitigated, this would have caused major problems. The timetable software is widely used, particularly in vocational education. Dutij: “This has made it such a large supplier that it is almost too big to fail.”

“By working together openly on privacy and security, you notice that awareness in this area is increasing, both for other suppliers and for the schools”
Karin Kuster

Privacy and security: a priority for everyone

Switching to an alternative during the current school year would have caused a lot of disruption, Dutij emphasises. Still, he is not particularly concerned. “I always try to look on the bright side. I would rather work with a party where I know what the risks are than be completely in the dark because a provider refuses to cooperate with the DPIA, leaving the risks unknown.”

For Xedule, the collaboration with SURF on the DPIA is primarily a way of setting priorities. “By working together openly on privacy and security, you notice that awareness in this area is increasing, both for other suppliers and for schools. That's a positive development.” Dutij does not see it as a problem that Xedule may also benefit from the results of the DPIA. “A DPIA is a tool that schools are required to use for high-risk processing. We should actually be doing this with even more suppliers. You simply want to work together to become GDPR compliant.”

Measures for all institutions

Xedule's action also brought a number of issues to the attention of SURF. For example, when Van Hest approached SURF in November 2023, the organisation had not yet completed the development of a DPIA process. As a result, this investigation could not start until six months later. The initiative from the vocational education sector also brought this sector to the attention of SURF. “For example, SURF members are periodically asked for input for new studies. I often hear from vocational education institutions that their proposals are not always heard, for example when determining for which applications a DPIA is carried out. That is why it is good for vocational schools to clearly communicate their preferences to SURF.”

Dutij sees that a good structural approach to these types of issues has already been developed across sectors. “What I like is that there are two different recommendations: one for educational institutions and one for the supplier. SURF takes up the recommendation for the supplier itself with the company.” He believes it is important to also properly embed the measures for specific institutions. “It's great that a lot of work is being done through the SURF Vendor Compliance service, but each DPIA also involves some homework for the school itself.”
 

Text: Thijs Doorenbosch 

DPIA: education and supplier working on privacy is an article from SURF Magazine.

Back to SURF Magazine

Do you have any questions about this article? Mail to magazine@surf.nl.

Related topics: