SURF Security & Privacy Conferentie 2026

At the start of his appointment as Privacy Officer of the Geo Faculty at Utrecht University in May 2020, Francisco Romero Pastrana was faced with the usual challenges: maintaining a processing register, handling DPIAs, giving advice on what is and is not allowed, etc. While the goals and principles were clear, he was spending too much time and effort acquiring processing knowledge and transcribing this into compliance documentation. He needed to find a better way to manage all of it in a more efficient, timely, and scalable way.

Out of that necessity, the Privacy Scan Framework was born - initially started as a way to collect and document relevant details of an activity to determine if a DPIA was needed. Today, the Privacy Scan is a scalable, DPIA-like description and assessment of processing activities. It is now the cornerstone for the management of privacy compliance at the faculty, allowing efficient compliance with GDPR Art 24, 25, 30 and 35. From a few dozens Privacy Scans in 2021 and 2022, now around a hundred privacy scans are conducted on average every year by faculty members. The scans are completed and approved within a couple of weeks on average, on a broad range of research, education, and business-related processing activities.

In this session, Francisco will describe how the Privacy Scan Framework works in practice, including research- and education-related examples of processing activities which are often challenging to demonstrate compliance: for example, when there is an imbalance of power, or it is not possible to obtain consent, where other legal bases beyond consent are likely more suitable.