Do you only perform compliance processes on applications that SURF has an agreement with?

No, we perform trajectories on vendors/applications where there is a need within the industry
need for conversations about privacy and/or security. These do not have to be parties we already have an agreement with. We negotiate as many
modifications/contract agreements that benefit the entire education and research sector. This applies even if contracts are negotiated directly between the institution and the vendor. An additional advantage is that these processes can lead to an agreement through SURF, for example Zoom.

How will decisions be made about which pathways to take up/what is the governance?

Twice a year inventory needs with: Procurement Network, CSC/security incoop linkin pins, Cisos, POs, FGs (SCIPR), Cybersecurity Regiegroep, Taskforce beyond privacy shield & MBODigitaal.
We aggregate needs based on criteria such as possible national collaborations, use and urgency within sectors, identified issues such as with data oplsag, incidents, possible conflicts with procurement processes SURF, weight (small, medium, large). The information is translated into a proposal for the calendar (when will which trajectories be implemented? The calendar is submitted to the Cybersecurity Steering Committee. They coordinate this with the constituency and come up with a supported advice on the calendar.
Advice goes to the CSC chairs. They advise the Executive Board of SURF. The results of the advice are submitted to SURF's Executive Board for adoption/approval. WE inform aforementioned stakeholders and deliver the service. WE will report to the Cybersecurity Steering Committee in accordance with the existing frequency and annual cycle within SURF. If the evaluation shows that substantial changes are desired, these will be submitted to the SPA.

What is the added value of this service since institutions are responsible for whether or not to deploy an application?

We have been asked by members if, on behalf of the industry, we would like to conduct DPIAs, DTIAs and
security checks on vendors/applications relevant to the
majority of members. SURF negotiates on behalf of the entire sector, making us many times stronger with suppliers than individual institutions.
Once we have performed a risk analysis on a supplier/application, we enter into discussions with the supplier about measures to resolve any risks found as far as possible. Many of these agreements are laid down in, for example, a standard processing agreement. Instructions are also made which state how institutions can use the application in the most privacy and security friendly way possible. These instructions are shared publicly as much as possible. Whether your institution actually uses the application is up to the institution itself. The institution has the responsibility to assess whether the application/supplier can be used within its own processes. We do a lot of preliminary work, but the institution itself must make it applicable within its own organization. You can benefit from the technical, organizational and legal agreements that we have arranged for you.

What is the cost to use this service?

The cost of implementing compliance pathways is funded from the
Basic Fee Purchasing and Digital Platforms (BIDP). The members have given approval
given to include SURF Vendor Compliance services in this. Almost all members pay this basic fee, including for the SURF Vendor Compliance
services. Thus, contributions are made to the service at the central level.

How can I communicate my requirements for new compliance pathways?

We pick up an average of eight trajectories per year. To collect the need for the agenda, twice a year we send out a survey to the following people: CISOs, security officers, privacy officers and FGs through the SCIPR network, software contact persons, CSCs, the Cybersecurity Direction Group, the Beyond Privacy Shield Taskforce and MBO Digital (through the IBP network).
If you have any wishes in the meantime, please pass them on via the
inventory form. The wishes we receive in the interim will be included in the next update of the calendar.

Is it useful to have multiple individuals express my institution's needs, or do you look institution-wide at the needs received?

If there are different needs within the institution, for example in different
departments, you can have different people supply this. If the same
application is mentioned several times we count it once. All supplied
applications per institution actually count once.

Why do compliance pathways need to be implemented?

Institutions widely use different vendors. In many
cases, suppliers process personal data of SURF members and their
users. Institutions are obliged under the AVG to check their suppliers on how they deal with privacy and security. SURF undertakes such compliance processes at the request of institutions. We discuss privacy and/or security with suppliers on behalf of institutions and ensure that suppliers take measures to resolve identified risks. It pays to do this collectively on behalf of all the institutions; by combining knowledge and expertise, we achieve cost savings, share knowledge, and have a stronger negotiating position towards suppliers.
towards suppliers.

What is a DPIA?

A DPIA, Data Protection Impact Assessment (DPIA), also known as a
data protection impact assessment, is a tool to identify privacy risks to data subjects (e.g., users). From the General Data Protection Regulation (AVG), a DPIA is necessary if there is large-scale processing of personal data or sensitive personal data.

Why does SURF commission DPIAs?

Through SURF, the members make joint agreements with ict and content suppliers regarding the supply and purchase of products and services. In this way, the members jointly ensure scale and an efficient point of contact for suppliers. Performing risk analyses such as DPIAs are part of this. In many cases
suppliers process personal data of (employees and students of) SURF members. It is therefore important that suppliers comply with legislation and regulations. SURF collaborates in this as much as possible with collaboration partners such as SIVON and the government. Together, several DPIAs have already been carried out.

Do SURF and SIVON work together when it comes to DPIAs?

Yes, there is close cooperation between SIVON and SURF. As well as MBO Digitaal and SURF (and other collaboration partners such as the State). If at all possible, we collaborate on the various DPIAs or exchange information on ongoing processes.

For whom is a DPIA applicable?

Each institution must decide for itself to what extent the results are applicable to its own organization. The DPIAs produced can therefore be used by anyone, including organizations outside education and research, but must always be interpreted to their own situation, processes and environment.

Does SURF run the pathways independently?

In most cases, we work with collaborative partners such as the Government, SIVON and have studies conducted by external parties,such as Privacy Company.

Why are most risk assessments, such as DPIAs, in English?

The risk analyses are in English because the language of communication with international suppliers is
English is. The results must also be clear 4/4 to employees of these organizations and not misinterpreted or translated. In addition, they are then readable by a wide audience.