Published on March 08, 2018

Castor is getting ready for GDPR coming up this May!

What is GDPR?

The General Data Protection Regulation (GDPR) is a law that aims to strengthen and unify data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU. GDPR will be immediately applicable in each EU member state and doesn’t require the implementation of national legislation.

Castor already ensures that your (personal) data is secure and handled in line with privacy laws. As the law changes, it is important to you as a researcher working at a research institute, (academic) hospital, or medical device company, to stay compliant after the GDPR becomes binding.

Data Protection Officer

One of the first steps Castor took to comply with GDPR was to appoint a Data Protection Officer (DPO). The key focus of the DPO is to oversee data privacy compliance and manage data protection risks. A DPO is required because Castor processes special categories of personal data on a large scale as a core activity.

Appointing a DPO was the first step in the series of measures that need to be taken to get GDPR compliant. Read more about how Castor ensures preparedness for GDPR!

Data Processing Agreements, registration of data flows and mandatory DPIA’s under GDPR

One measure GDPR takes to strengthen privacy is requiring companies to create an overview of personal data flows to increase transparency of how they use such data. In many business relationships there is a flow of data to one undertaking, or organization, to another. For example where a Data Processor carries out processing activities on behalf of a Data Controller. If this data, wholly or partly consist of ‘personal data’ the law requires written data protection provisions, often set in an Data Processing Agreement. Thus far, nothing new.

Under the GDPR, the Data Controller must have a written contract with more specific requirements. With regard to the processing of (patient) research data, Castor, the Data Processor, has an up-to-date Data Processing Agreement in place as part of the License Agreements with research institutes, the Data Controllers. Castor also sets out contractual obligations with Sub-Processors to fulfill the requirement under the GDPR.

Data Controllers must also ensure that the Data Processors use appropriate methods to protect the safety of the personal data they hold. Castor has implemented appropriate security measures for all types of data and ensures a sufficient level of information security conforms with ISO 27001.  ISO 27001 does not cover GDPR compliance but definitely helps in being GDPR compliant. ISO 27001 covers a lot of information security measures (think about supplier risk assessments) that also need to be in place for GDPR. See our ISO 27001 certificate here!

Like most organizations, Castor is currently finalizing the Personal Data Flow mapping in respect to GDPR’s article 30,which requires the maintenance of records of processing activities. The data mapping will facilitate a better understanding of the quantity and value of personal data at Castor and provide a toolset to manage risks and controls. As we are preparing for GDPR, the data mapping gives us a good understanding of what personal information we are collecting, for what purpose, and how the personal information is safeguarded throughout our processes.

Under the GDPR, Data Controllers must carry out a Data Protection Impact Assessment (DPIA) when a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. Castor mainly executes the role of Processor but also executes the role of Controller. For example, when handling HR data, the DPIA provisions can apply in a way that might mean that Castor as the controller, would need to carry out a DPIA.

Let the countdown to GDPR begin! Sign up for our newsletter to receive future updates!