Erasmus University is GDPR ready with architecture

Erasmus University Rotterdam (hereinafter EUR) ranks among the top universities in Europe thanks to high-quality academic education and the impact of its scientific research. EUR is one of the largest universities in the Netherlands with more than 30,000 students and over 3,000 employees. Teaching and research take place at seven faculties, two special institutes and one university college, and these are supported by more than 150 departments.


The advent of the General Data Protection Regulation (hereinafter GDPR) meant that EUR had to demonstrate that it complies with all privacy regulations in the context of accountability. An important step to accomplish this was to gain insight into the current situation. So, in other words: 

  • What personal data are being processed; 
  • Who (inside and outside EUR) are processing personal data; 
  • The legitimacy of these processing operations (purpose and basis); 
  • How do we process these personal data (what is the process and what applications are used in the process); 
  • How long do we keep personal data. 

Highberg supported the EUR in mapping the processing of personal data and unlocking this data in a BI / reporting tool. To map the current situation, the choice was made to do this under architecture. Architecture is usually a connecting factor between people, process, application, data (including personal data) and infrastructure. Architecture is therefore extremely suitable for getting in control of the GDPR. 

The data in the BI/reporting tool is enriched with data from the service management software and privacy software. This provides information about the processing of personal data as well as privacy-related notifications and requests. A dashboard was then built into this tool. The dashboard gives the EUR the following results:

  • Ability to monitor and manage privacy risks based on assessment framework derived from the GDPR obligations and requirements;
  • Insight into the status of the GDPR implementation;
  • Insight into which departments, processes and applications are processing personal data;
  • Insight into privacy-related notifications and requests, and what their status is.

All in all, precisely the combination of expertise from the privacy domain, combined with architecture and BI was of great added value to the EUR in supporting its ambitions regarding the GDPR legislation.

Contact Laura Natrop for more information.

Other case studies