Privacy & Security Specialist

Privacy and security aren’t just boxes to check at the end of a project; for us, they’re design principles that are built into the architecture from day one. You’re the specialist who helps make that happen: technically skilled enough to contribute to the thinking of our TPMs, and a strong communicator capable of translating those insights to lawyers and team leads.

Where you will work

SURF is the ICT cooperative for Dutch educational and research institutions. Together with them, we work on digital services and complex innovation challenges to enhance the quality of education and research.

You will be working in the Accessible and Open Education & Research unit, which consists of 10 different types of teams, all of which are involved in the development of digital sector-wide services for institutions.

The team you will join

Within the unit, you’ll work in an environment where privacy and security are essential: we handle sensitive data from education and research, and new digital services are constantly being developed and expanded. We adhere to the principles of open and reusable design, while at the same time ensuring that privacy and security are built into our development process “by design” and “by default.” The challenge lies in striking the right balance: how do you ensure maximum openness and accessibility while firmly safeguarding privacy and security?

You’ll work closely with team leads, product managers (PMs), technical product managers (TPMs), legal counsel, and a fellow privacy and security advisor. As our products and services grow, the team is expanding. Together, you’ll ensure that technical solutions meet applicable standards and best practices, while also being practical for the teams that build and manage them.

What you will do

Our products operate on the principle of “open by default, unless there’s a good reason not to.” You’ll help teams make that decision—not from a supervisory role, but as someone who proactively contributes to technical design and architecture discussions.

You are the first point of contact for technical product managers when they are conceptualizing a new service, integration, or architectural choice. You identify privacy and security risks before they are implemented and help devise solutions that fit within the framework and are feasible for the teams.

Specifically, this means:

• Providing early and active advice on technical designs, architecture, and processes before any code is written
• Assessing risks related to availability, integrity, and confidentiality from a technical perspective
• Ensuring privacy and security by design and by default in an environment based on open collaboration
• Conducting DPIA’s and documenting privacy considerations in a way that helps teams move forward, not slows them down
• Formulate practical, actionable guidelines, translating legal and compliance frameworks into concrete technical implementations
• Collaborate with legal counsel as a substantive technical discussion partner, not merely as a conduit
• Support team leads so that privacy and security are ensured within their teams, without requiring them to be security experts

Your skills and experience

First and foremost, you are a tech expert. You understand how systems are designed, built, and managed, and you use that understanding to advise on privacy and security. You are neither an auditor nor a lawyer. We are specifically looking for someone who can hold their own in technical discussions with our TPMs while also understanding the language of lawyers and compliance professionals.

Hard requirements:

• Demonstrable knowledge and experience in both privacy and security—both, not just one of the two
• Technical background: you understand software architecture, systems, and infrastructure at a level that allows you to provide substantive advice
• Dutch at a minimum C1 level (required for understanding laws and regulations and for the advisory role), English at a minimum C1 level
• HBO+/university-level work and thinking skills, preferably in IT, cybersecurity, or a related field

What else you bring to the table:

• Experience with privacy by design as a design strategy in technical projects
• Knowledge of the GDPR and compliance processes, as a framework, not as a core subject
• Experience drafting or supervising DPIA’s
• Proactive, solution-oriented attitude: you identify risks, but always contribute ideas on what is possible
• An affinity for open source and open science is a plus

SURF takes pleasure in doing its recruitment itself; acquisition is therefore not appreciated.