Zifo's GDPR Commitment

What is the GDPR?

The GDPR or the General Data Protection Regulation replaces the Directive 95/46 in May 2018. It brings about a monumental change in the ways personal data of people within the EU Union is handled and harmonises data privacy rules across the EU; the most influential areas being the broadening of the definition of personal data, the inclusion of extra-territorial scope, the emphasis on data subject rights and of course the huge penalties that follow non-compliance.

Ultimately the GDPR shifts the control towards the data subjects in what, why and how their personal data is processed.

The six main principles of GDPR are

Zifo's commitment towards GDPR

We, as an organisation offering services to the Pharmaceutical, Biotech, Medical devices, and CRO companies, are fully committed towards protecting the privacy of all personally identifiable data we gain access to. Data privacy is considered as a key aspect in all our services and products. As an organisation operating in the R&D Informatics area, where such strict regulations are commonplace, GDPR is another milestone to achieve.

Being a service provider, Zifo will act as a data processor to all our customers, who are data controllers. Such processing activity will be restricted to the instructions of the data controller through mutually established contractual agreements.

Zifo will primarily process any address book information given freely as part of sales and business agreements for communication and system support purposes.

All clinical data we process is pseudonymised and hence protected by default. Clinical data in generality, both blinded and unblinded, is treated as sensitive personal data and proportionate data protection measures, in accordance to GDPR and other applicable regulations, will be in place.

Where Zifo is a sub-processor, the processor organization who subcontracts the processing activities to Zifo shall define Zifo's roles and responsibilities for the same and Zifo shall comply with all GDPR requirements applicable to data processors in such cases.

Zifo shall not engage sub-processors without prior consent from the data controller. When such an engagement is agreed upon, Zifo will ensure the sub-processor complies with necessary GDPR requirements by signing GDPR compliant agreements.

GDPR also brings about changes in marketing, sales and HR functions to organisations such as Zifo, which operates globally. We will act as a data controller in this case.

To account for these requirements, Zifo will ensure that marketing is done for legitimate interests, restricting to address book information. All prospects and customers shall be given the explicit option to opt out.

Every EU employee will be made aware of the rights and any restriction to rights as a data subject at the time of on-boarding through an agreement, and is expected to adhere to applicable GDPR requirements while handling personal data within the organisation.

All technological solutions developed by Zifo will address the privacy of personal data as an integral component of the product development process right from its conception, throughout the Software development lifecycle, ensuring that personal data is protected by design.

We are ISO/IEC 270001/2013 certified, the International Standard for Information Security Management system.

Standardised physical / logical controls and security measures are in place to maintain data integrity, confidentiality and availability

We believe in achieving compliance to GDPR by integrating data protection best practices into our organisational structure. Following are the best practices:

  • Data Protection Impact Assessment (DPIA) - Define, Assess, Review controls, Implement data governance strategies, Monitor
  • We are ISO/IEC 270001/2013 certified, the International Standard for Information Security Management system
  • Standardised physical / logical controls and security measures are in place to maintain data integrity, confidentiality and availability
  • Transparent Data Privacy and Confidentiality policy
  • Continuous employee training on privacy policies and personal data handling procedures
  • Data breach and non-compliance redressal system
  • Mechanisms to ensure appropriate agreements are signed with data controllers and data processors we engage.
  • Access to personal data only through authorized user accounts
  • All technological solutions provided by Zifo as well as configurations made over these solutions:
    • comply with regulatory requirements for computerized systems
    • are validated for their fitness for use and applicable regulations
  • Data subject's "opt-out" status is tracked and monitored for processing activities such as marketing
  • Process in place to assess and monitor compliance to GDPR on a periodic basis

Any breach to privacy of personal data will be considered and logged as an incident, within Zifo. The data controller/ data subject, as applicable shall be notified within 1 business day of detection of the breach. Resolution actions, as needed, shall be initiated and communicated appropriately.