Compliance and frameworks of standards

How can an institution comply with the new GDPR and what does it need in this regard? SURF has worked with the institutions to draw up a number of documents that will help the institutions to achieve this. They are a specific interpretation of the obligations from the GDPR and often also offer explanations.

SURF Legal Standards Framework for (Cloud) Services

The SURF Legal Standards Framework for (Cloud) Services describes the standards for privacy, confidentiality, availability and ownership of information. Institutions can use this document as a basis for their agreements with their (cloud) suppliers. The new GDPR-compliant Processor agreement was published in October 2017. This standards framework also offers guidance on security measures and audit obligations.

All documents related to the SURF Legal Standards Framework for (Cloud) Services are available on this page.

Other documents

GDPR and education assessment framework

A GDPR testing framework may be helpful to make it clear and verifiable what the GDPR provisions actually mean for institutions. Specific organisational measures can be devised based on the law's standards. A testing framework helps institutions to see where they stand in terms of GDPR implementation. SURF is working on such a testing framework.

The framework and the baseline prepared for the NFU (collaboration of teaching hospitals) are used as a basis for the documents. This basis is adjusted: specific medical regulations are removed and regulations on education and research may be added.

The delivery of the standards framework is expected in April 2018, when it will also become part of SURFaudit. It will become available in the SURFaudit tool as well in the course of Q2 2018.

Latest modifications 20 Sep 2018