Digital health startups must build for privacy and data security first
Digital health startups are on the rise, transforming the future of healthcare. However, many startups do not realize that complying with GDPR is a top priority. Startups often operate in regulatory grey areas, with many founders preferring to execute now and ask for forgiveness from regulators later. However, this is not the way to go in healthcare. It’s got a complex webwork of incumbent stakeholders (service providers, clinics, payors, patients, etc.). It’s known for its deep fragmentation and data silos.
Obviously, getting the tech and product right is paramount. As is figuring out the path to commercialization, finding market-fit, navigating regulatory approvals and hiring a stellar team. But many growing digital health companies seem to lack focus on their data handling when building their product.
🤔 GDPR could change the digital health landscape, if not respected carefully
The GDPR is the EU’s new data protection law that came into effect on May 25, 2018. The GDPR replaces the 1995 EU Data Protection Directive and strengthens EU data protection rules. It gives individuals more control over their personal data, and imposes stricter fines for companies that violate these rules.
Digital health startups need to be aware of GDPR compliance requirements, as they apply to any company that processes the personal data of EU citizens. GDPR compliance is not optional – it is mandatory for all companies that process the personal data of EU citizens, regardless of whether they are based inside or outside the EU.
Under GDPR, digital health startups must:
1️⃣ Obtain explicit consent from patients before collecting, using, or sharing their personal data
2️⃣ Keep patient data secure and protect it from unauthorized access, use, or disclosure
3️⃣ Allow patients to access their own data and correct any inaccurate information
4️⃣ Delete patient data upon request, if not flowing into the EMR
GDPR compliance is a complex issue, which means, that every founding team needs to consider its compliance from the very early days. Every respective data flow needs to be secured by the infrastructure set in place of the respective startup. Focusing in this early on can be a large competitive advantage!
Asking founding teams about their GDPR compliance in the first calls, can indicate already how in-depth the founders are understanding the importance of this topic and how they planned it for the future.
⛓ Privacy-first product
Building a privacy-first product is key to GDPR compliance. By taking privacy into account from the early stages of product development, digital health startups can avoid many of the common pitfalls that lead to GDPR non-compliance.
When it comes to digital health, data protection is not a ‘nice to have’ – it’s a legal requirement. The GDPR imposes strict requirements on how personal data must be collected, used, and protected. Startups that fail to comply with the GDPR can be fined up to 4% of their annual global turnover or €20 million (whichever is greater).
Building a privacy-first product is the best way to avoid GDPR non-compliance. By taking privacy into account from the early stages of product development, digital health startups can ensure that their products are GDPR-compliant from day one.
Here are five reasons why building a privacy-first product is key in digital health:
1️⃣ GDPR compliance starts with data minimization
Under the GDPR, companies are required to collect and process only the personal data that is necessary for a specific purpose. This principle is known as data minimization.
Digital health startups should take a privacy-first approach to product development and design their products in such a way that only the minimum amount of personal data is collected.
2️⃣ GDPR compliance requires data security
Another key requirement of the GDPR is ensuring the security of personal data. This means taking appropriate measures to protect personal data from accidental or unauthorized access, destruction, alteration, or disclosure.
Companies must ensure that their products are designed with security in mind and that all personal data is stored securely. In some cases, the server location is an additional parameter to be considered.
3️⃣ GDPR compliance demands transparency
Under the GDPR, companies must be transparent about how they collect, use, and disclose personal data. This means providing clear and concise information to individuals about their rights and how their personal data will be used.
Teams must be transparent about what personal data they collect, why they collect it, and how it will be used (i.e. EMR storage). They should also provide individuals with an easy way to access their personal data and exercise their rights under the GDPR.
4️⃣ GDPR compliance requires accountability
The GDPR imposes strict accountability requirements on companies that process personal data. Companies must take responsibility for ensuring that they comply with the GDPR’s principles, and they must be able to demonstrate their compliance to regulators.
Companies must put in place appropriate policies and procedures to ensure that they comply with the GDPR. This includes implementing technical and organizational measures to protect personal data from accidental or unauthorized access, destruction, loss, or alteration.
5️⃣ A privacy-first approach is good for business
Adopting a privacy-first approach can be good for business. Customers are increasingly concerned about their online privacy, and they are more likely to do business with companies that respect their privacy rights.
Digital health startups that adopt a privacy-first approach will be well-positioned to win customers’ trust and build their moat, when others are still not GDPR compliant. In the age of data privacy, customers are looking for companies they can trust with their personal data. Privacy-first digital health startups will be able to differentiate themselves from their competitors and win customers’ trust. By embedding privacy by design into their products, they can avoid the hefty fines that GDPR entails.
I would like to see more teams being more conscious on their data, especially patient data, founders need to make sure they put data privacy & security at the heart of their business and also consider hiring a GDPR expert rather sooner than later!
🎶 Closing with a podcast recommendation 🎶