GDPR and Digital Health Apps compliance
This article cover common questions about the new EU General Data Protection Regulation (GDPR)[^1] and how it impacts digital health developers.
Why Digital Health businesses need to comply with GDPR?
Simply because every digital health app manages (collects, stores, shares) health data, which according to GDPR is sensitive and subject to criminal law responsibility.
Most importantly, misuse or non-protection of data can bring to really high fines: by achieving compliance you will able to avoid them, to increase trust in your product and to work with big companies or health institutions. For example hospitals, insurances or pharma companies will ask you to demonstrate compliance by performing Security Risk Assessments, which are inspired heavily by ISO 27001 or ISO 27002 control objectives: you will need to be ready at that moment.
The compliance risks depend on what data you are collecting. There can be several cases, and you can easily check if and how the data you are collecting need protection in our Self-Assessment Compliance test.
How do I become GDPR compliant?
You become compliant by implementing appropriate legal/administrative and technical requirements to ensure data management, confidentiality, integrity and security of data you collect. In addition, you must ensure that your service providers (so-called Data Processors) provide you a GDPR compliant contract. Let's have a look at the requirements more closely:
- Legal/Administrative: they need to be considered case by the case involving lawyers, privacy experts and by carefully studying the entire EU privacy framework (GDPR, NIS directive, EU-US privacy shield etc). You must collect users' explicit consent, notify the data protection authority, define website privacy policy, perform security risk assessments and certify the company and product depending on the nature of your health application.
- Data Processors: you need to ensure that your service providers are compliant with the new GDPR - Data Processor rule. In other words, they need to provide you with adequate reliability (i.e. SLA), guarantee physical infrastructure protection and certifications (depending on the Member State). You must choose service providers that allows you to satisfy all EU rules for processing and storage of sensitive data.
Suggestions: Building your own infrastructure is hard and time-consuming. Before choosing any infrastructure provider, check its Terms & Conditions or contract! Chino.io can help you with this!
Suggestions: developers must ensure that their data processing is legal and that their service is properly regulated within Terms and Conditions.
- Technical/security: a typical cloud application has different components on the backend side that is responsible for the user, data, and application logic management. The list of technical safeguards affects mainly the API, user and health data. They include developing authentication, access control, encryption of data in transfer and at rest (storage), secure audit log, security monitoring and updates, backup, and reliability (QoS and SLA).
Suggestions: GDPR requires a risk-based approach: the higher the risk, the more rigorous the technical/security measures that the controller or the processor needs to take to manage the risk! Before choosing any cloud provider you need to operate a risk assessment. Chino.io can help you with this!
The Ultimate Guide on GDPR and HIPAA compliance
What are the technical and security requirements?
GDPR does not define a unique way to comply with security dispositions** (as other legislation like HIPAA in the USA conversely does). What you need to do is to look at "cybersecurity" standards (e.g. OWASP), organizations providing guidelines (e.g. ENISA), best practices (e.g. codes of conduct) and certifications (e.g. ISO 27001 or 27002). They all contribute to creating the legal and technical framework.
Among these categories ISO/IEC 27000 family is the most known and widely employed: it allows you to specify "the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization".
Remember also that when embedding security measures in an information processing system, it is crucial to ensure that the CIA triad is applied in a balanced manner: you need to grant Confidentiality, Integrity and Availability of your data. While all three elements are important, different aspects of the trial will take priority depending on the industry and organization. To this end, the implementation of security measures needs to follow a security risk management process.
Can I get certified as GDPR compliant?
Yes, you can. But you don't need to. GDPR compliance is a self-certification, like the majority of compliance standards related to regulations. However, the GDPR expressly recognizes certifications as acceptable mechanisms for demonstrating compliance, but, again, it doesn't mandate any.
However, the security standard ISO 27001 and the quality standard ISO 9001 are good certification mechanisms and are frequently required by entities (e.g. Hospitals, Insurances) with whom you plan to work. You can either use them as an internal guideline or seek for third-party certification. Chino.io has both ISO 27001 and 9001 certifications performed by internationally recognized third party.
What if I'm building medical grade software?
Medical grade software requires CE marking in EU and FDA approval in the US. This is a particular category of software that requires third-party certification mechanisms to demonstrate quality, reliability, and also data security. Typically CE Marking is achieved through ISO 13485 certification. In this case, your service providers (e.g. cloud computing providers) must be ISO 9001 certified. That's why at Chino.io got the ISO 9001 certification to help companies build medical grade software and connected devices.
Chino.io can help you comply with GDPR security requirements
As you may have assumed from this article, Chino.io gives digital health, eHealth, and mHealth developers the possibility to store (partially or totally) sensitive data that they collect into a secure data storage through an API integration. We can act as Data Processors, and in this way, you can delegate us your data management responsibilities and increase data security without worrying about time. We are constantly informed about cybersecurity news in order to offer the best compliant service with EU laws. Furthermore, we are ISO 9001 and 27001 certified!
Subscribe to Chino.io newsletter
[^1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
[^2] See art. 4(1), GDPR.
[^3] See art. 4(15), GDPR.
[^4] See Art. 29 Working Party document "ANNEX - health data in apps and devices" available at this link.