BPM Consult
en icon
en
Let’s meet

HomeArrow rightPersoonsgegevens Beheersen In Het Onderwijs

Datum: 03-06-2026 Categorie: Onderwijs Geschreven door: Jesse van der Huizen

Grip op privacy: Persoonsgegevens beheersen in het onderwijs

Educational institutions hold and analyse large volumes of data, including information on students, staff and suppliers. It is therefore essential for these institutions to store and manage personal data securely. Jesse van der Huizen and Nathan van der Meulen of BPM Consult explain how institutions can achieve this.

Personal data includes all information that directly or indirectly relates to an individual, such as names, telephone numbers, religious beliefs or medical information. Educational institutions have a responsibility to handle these data with care.

In many educational institutions, there is little or limited control over and insight into the manual processing of personal data. Manual processing includes activities such as recording job applications, storing participant lists or editing medical records. Institutions often carry out many such processes unintentionally, and this does not always go well. Two common problems are:

  • Employees carry out activities that are not compliant with the GDPR because the educational institution does not have established processes in place for high-risk data processing.
  • Limited awareness among employees of the risks associated with careless handling of personal data.

A five-step plan for achieving control

To effectively address these challenges, it is important to adopt a step-by-step approach focused on increasing insight into and control over processes, ensuring employees comply with GDPR, and raising awareness of data security.

Step 1: Interviews to determine the scope
Educational institutions that are starting with GDPR compliance often lack a clear picture of where manual processing of personal data takes place and what its scope is. In many cases, there is a general idea of which processes are ‘not working well’, but what is actually going wrong, as well as the scale and scope, remains unclear.

To gain this insight, a good first step is to conduct exploratory interviews with both process operators and management. This helps build a picture of the impact, scale and risks of data processing activities. The next activity is to carry out a risk analysis to determine which risks should be mitigated first.

Step 2: Workshops to map processes and risks
The next step is to organise process workshops with process operators. This makes it possible to map out the current process in detail, including risks and mitigating measures.

In addition to producing a process design with detailed risks, participants also learn from each other by gaining insight into each other’s working methods and associated risks. Awareness of data processing increases and employees begin to recognise the importance of handling personal data carefully.

Step 3: Visualising the desired situation
A third step involves a second series of process workshops to define the desired situation. Together with process operators and privacy officers within the organisation, a target process is developed. The aim of these workshops is to mitigate risks and make the process GDPR-compliant. Topics that are advisable to address in these workshops include:

  • Cleaning up folders and documents;
  • Defining retention periods;
  • Determining which communication channels are used to share data;
  • Deciding which applications are used within the process;
  • Achieving data minimisation, for example by avoiding lists containing personal data circulating within the organisation.

It is helpful if the outcome of these workshops takes the form of a documented process in which the desired situation is clearly described and ready for implementation.

Step 4: Documentation
Visualisation and documentation are needed to clearly capture the desired way of working and make it accessible to employees. In this step, it is important to develop visual, hands-on work instructions that are easy for everyone in the organisation to understand.

It is also recommended to design (A3) infographics to be displayed in visible locations throughout the workplace. Infographics help clarify how to handle manual processing of personal data and serve as a constant reminder to employees of their responsibilities.

The final element is to establish a procedure that clearly describes how the organisation handles manual processing of personal data, in line with GDPR requirements. This procedure should be written in clear, accessible language so that all employees can easily follow the guidelines.

Step 5: Implementation
At this stage, it is advisable to develop an implementation plan that addresses the following points:

  • Communication: Sharing the available documentation with the relevant managers and employees.
  • Knowledge sessions: Organising sessions to reflect on the risks associated with manual processing of personal data.
  • Central documentation: Making documentation accessible in one central location.
  • Monitoring and governance: Establishing and transferring responsibility for monitoring and maintaining the documentation to the privacy officer.
  • IT adjustments: Implementing any necessary IT changes to support the new way of working.

In a project like this, collaboration with the privacy officer and managers is of great importance. They not only play a key role during the execution of the project, but are also responsible for monitoring once it has been completed.

Benefits of this approach

Such an approach delivers three key benefits for educational institutions:

  • Insight and control for management: By mapping processes and identifying risks, management gains a clear overview of where and how personal data is processed. This not only supports compliance with legislation, but also enables them to address bottlenecks proactively.
  • Employees are compliant with the GDPR: By providing clear work instructions and training, the organisation ensures that employees follow the correct procedures and comply with the GDPR.
  • Increased awareness among employees: By actively involving employees in the change process, awareness of their own role and that of their colleagues is enhanced. This leads to a culture of responsibility and due care within the organisation.

Conclusion

Educational institutions face challenges related to digital transformation, where public values such as security and privacy require proper safeguarding. The GDPR places responsibility on institutions to maintain full control over the processing of sensitive personal data. This is particularly important as the volume of stored and shared personal data of pupils, students and staff continues to grow, along with the risks of cyberattacks.

Recommendations from the Dutch Data Protection Authority, the Rathenau Institute and the Inspectorate of Education emphasise that educational institutions must raise their digital resilience to maturity level 3, which represents an effective and demonstrable privacy policy.

Through a structured approach involving interviews, process workshops and implementation, educational institutions gain control and insight into the manual processing of personal data. This brings them a step closer to the desired maturity level 3. Moreover, employees are actively involved in the process, which increases their awareness.

Artikel delen

Mail icoon LinkedIn icoon Facebook icoon

Gerelateerde artikelen

Continu verbeteren 3 June

BPM Maturity: hoe horizontaal is uw organisatie

A horizontal or process-oriented organisation delivers better results in many areas. It leads to higher quality, faster throughput times, less waste and more satisfied customers. In many cases, achieving this requires a reconsideration of an organisation’s structure and culture in order to bring all these elements together into a coherent whole. The BPM Maturity Model […]

Meer lezen over dit artikel
Continu verbeterenProces herontwerp 3 June

Procesgaming: focus op samenwerking

Despite the increased attention, process-oriented working in many organisations remains a theoretical and sometimes even a stagnant subject. It is talked about, manuals are written, but that is often where it ends. People say ‘yes’, but they do not act accordingly. Why are only twenty per cent of the potential benefits so often realised? Does […]

Meer lezen over dit artikel
Continu verbeteren 3 June

Kwaliteit is horizontaal organiseren 

The field of quality management continually encourages us to shift our focus in search of the essence of the concept. We can speak of quality in terms of product specifications, quality as perceived by stakeholders, quality in terms of organisational maturity, quality as being the best performer within a benchmark group, and so on. A […]

Meer lezen over dit artikel
Continu verbeteren 3 June

'ANDERS, BETER, HORIZONTALER'

Achieving more with your organisation at lower cost. A smart design alone is not enough. The people involved must also work together effectively. With Horizontal Organising, Renco Bakker aims to bring that social perspective out of the shadow of the technical one. ‘It only truly works when you personally feel accountable.’ ‘Quality is horizontal organising.’ […]

Meer lezen over dit artikel
Digitaliseren & automatiseren 3 June

Vernieuwen IT-systeem  kansloos zonder excellente proceskennis 

Upgrading and renewing existing systems are tasks that are usually assigned to the IT department, for example to the duo of a functional manager and an application manager, in consultation with the IT supplier. This is generally a logical choice, as no one knows an IT system as well as an IT specialist. However, studies […]

Meer lezen over dit artikel
Bouw & infraContinu verbeterenOperational Excellence 3 June

Resultaatverbetering door procesgericht werken in Bouw en Infra

The economic crisis has had a significant impact on the construction sector. Year after year, construction output has declined sharply (2013: 7.5%, 2014: 6%), and the outlook remains subdued. The main causes of this ongoing contraction are a decline in confidence among both consumers and businesses. This situation is expected to persist in the coming […]

Meer lezen over dit artikel
Continu verbeterenProces herontwerp 3 June

Evolutie van procesarchitectuur zijn uw processen bij de tijd? Een spiegel én appel voor modernisering 

Organisations engage in process management, whether consciously or not. After all, they ensure that what needs to be produced actually gets produced. In that sense, processes are synonymous with sequences of activities that must be aligned, like runners in a relay race. Those organisations that consciously work on process management often carry a considerable legacy […]

Meer lezen over dit artikel
Digitaliseren & automatiseren 3 June

Vijf valkuilen bij het uitvoeren van de gebruikersacceptatietest

In software development, user acceptance, known as the user acceptance test (UAT), is of great importance. After all, these are the people who will ultimately use the software in their day-to-day work and therefore form the foundation of a successful software implementation. To avoid falling flat during the user acceptance test, a well-thought-out approach is […]

Meer lezen over dit artikel
Customer Journey 3 June

Rits je klant aan het interne proces het verbinden van de klantreis aan werkproces

A standard customer satisfaction survey generally offers limited guidance in truly understanding the customer’s needs and expectations. While such a survey provides the customer with an opportunity to express their opinion about your organisation’s product or service, it only gives a broad indication of their expectations and level of satisfaction. Mapping the customer journey, however, […]

Meer lezen over dit artikel