Privacy tools

The GDPR Tool helps Population Biobanks, Cohorts & Registries to comply with the new GDPR that was entered into force in 2018. It allows users to set up and maintain records of processing activities, to carry out data protection impact assessments, to run GDPR compliancy checks, and access to GDPR contracts and multiple checklists to get answers to concrete questions arising under the GDPR.

Why the GDPR Tool?

The entry into force of the GDPR in 2018 imposed on Population Cohorts, Biobanks and Registries a large number of obligations to protect the personal data of their participants (aka ‘data subjects’). The typical response has been to work with Excel sheets, which is indeed a means to meet the obligation to set up the mandatory Records.

The GDPR, however, comprises many more obligations. These obligations are diverse and vary from the very detailed (e.g. the obligation to inform data subjects) to the generic (e.g. ‘Privacy by Design’). The GDPR tool was developed to help meet all these obligations:

  • Comprehensive tool. The GDPR Tool offers a comprehensive approach, covering all pertinent obligations under the GDPR back to back. 
  • Compliance with the GDPR principle of accountability. Controllers must not only comply with the GDPR, but also be able to demonstrate their compliance. Noncompliance may subject controllers (and processors) to severe measures (e.g. cease processing of personal data) and/or stiff penalties. Using the tool helps controllers to meet their ‘documentation obligation’.
  • Research specific. Both the GDPR and the Act Implementing the GDPR (the GDPR IA) have a number of provisions and exemptions with regard to processing of personal data for purposes of scientific research. These specific provisions have been incorporated in the tool.
  • Meeting demands from stakeholders. A fourth reason to develop the tool is that it enables Population Cohorts, Biobanks and Registries to show their GDPR compliance not only to the Data Protection Authority, but also to their participants, their researchers (fellow PI’s, Post docs and PhD students), IRBs, journals and funders. 
  • Source of information, sounding board and advisory tool. The tool offers users a source of information: all questions in all checklists have been annotated with the applicable provisions and recitals from the GDPR and ancillary information. Users could also use the tool to get answers to concrete questions relating to specific issues, such as ‘which information should I provide to my participants’ or ‘how can I transfer my personal data outside the EU?’ 
  • Instrument to harmonize answers to GDPR questions.  As the interpretation of the GDPR continues to raise new questions, the continuous improvement and maintenance of the tool will function as an instrument that helps harmonize the answers to these questions.
  • Freely available to an unlimited number of users. Finally, the tool has been developed to help meet the economic constraints Population Cohorts, Biobanks and Registries face when seeking GDPR compliance: there are various GDPR tools on the market, diverging in quality and price tags, which in turn depend on the number of users. None of these tools take the specific provisions of the GDPR and the GDPR IA for processing for purposes of scientific research into consideration. 

Intended users

The GDPR tool was developed as a service for Population Cohorts, Biobanks and Registries that seek GDPR compliance. The GDPR tool is freely available for members of the BBMRI Consortium, for an unlimited number of users and datasets.

Using the GDPR Tool

The GDPR tool has been developed in collaboration with the software company GeckoTech and its security features have been approved of by BBMRI-NL. The tool runs as a SaaS application on a secure server hosted in the Netherlands. It will be made available upon request by sending an email to info@dataprotectioncompliancetool.com

Additional Information

The GDPR tool has been tested, is being continuously adapted and expanded and currently has over 1300 active datasets. Currently, the tool is only available in Dutch, but an English version is scheduled to be published in spring 2019 in collaboration with BBMRI-ERIC.

For more information, contact Mr Dr Jasper A. Bovenberg, lawyer and certified privacy professional (CIPM and CIPP/E), and director of the Legal Pathways Institute for Health and Bio-Law.