CastleBranch and Becker's Hospital Review logo lockup


CB FutureFocus logo


Data Privacy – Legal Considerations


Data can be a powerful asset, helping individuals and organizations unlock new insights and achieve new heights. But collecting and disclosing multiple data points implicates numerous data privacy and consumer protection laws, creating a legal and logistical quagmire for a business seeking to avoid legal liability. CastleBranch‘s 25 years of experience navigating these murky, ever-changing waters enable us to build a robust consent matrix to ensure data-driven tools, like CB FutureFocus™, are legally compliant in controlling and processing data.

Every data privacy law or regulation has its own nuances; however, there are some common themes amongst all of them, most notably:

  1. informed disclosure and consent;
  2. the ability to delete or “erase” data upon consumer request; and
  3. restrictions on how the data is collected, stored, and disclosed.

Furthermore, most data privacy laws assign a particular role to an institution touching consumer data:

  1. Controller — the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  2. Processor — the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data privacy laws require many obligations of both a Controller and Processor:

  1. IT security measures;
  2. disclosure and consent controls;
  3. restrictions on how the data can be collected, stored, maintained, processed, and disclosed; and
  4. the responsibility to provide copies of the data file to the consumer, correct the consumer data file, or delete the consumer data file upon consumer request.

CastleBranch, through our CB FutureFocus™ comprehensive platform, takes on both the responsibilities of Controller and Processor in protecting consumer data and ensuring legal compliance.


For an institution to process this data on its own would mean the institution serves as Controller — and possibly Processor as well — and is subject to all legal obligations and responsibilities thereof.


Leave navigating the compliance quagmire to the experts, while allowing the experts to provide your institution with only the targeted and specific data you need to make informed decisions.


Nursing in Crisis: Rebuilding the Talent Supply Chain from Within and Reversing the Nursing Shortage