10 GDPR tips for health innovators

This brief post summarizes some of the key points relevant to Digital Health companies.
10 GDPR tips for health innovators

This brief post summarizes some of the key points relevant to Digital Health companies.

Take our free Compliance Self-Assessment to determine what are your privacy requirements based on data you are collecting.

The key points for Digital Health companies

In the previously linked document and resources are listed and explained these key points:

  1. Health Data: try to check if you are really collecting health data. No health data means less obligations and risks.

  2. How, why and to whom to demonstrate compliance: healthcare has many stakeholders who you need to sell or talk to. All of them will ask you about data privacy. Many of them don't know what a good answer looks like, so be prepared more than anyone else.

  3. The Consent: it's the fundamental step before collecting any data, especially health. Check more here.

  4. Data Protection Impact Assessment - DPIA: GDPR is risk-based. DPIA helps you to figure out risks and demonstrate that you have done work.

  5. Data Protection Officer - DPO: Even health startups may need a DPO. Check with multiple specialists because DPO can be costly.

  6. Data Security and other technical obligations: old and obvious things (e.g. encryption, pseudonymization, anonymization), just refreshed and having different meanings and legal consequences under GDPR.

  7. Contracts with Data Processors and Partners: if your cloud tools are not compliant, then you are not too. Using "normal" tools and databases in the cloud for health data and apps is one of the major mistakes.

  8. Check other regulations: GDPR is General... To ensure compliance with your health data and apps you must comply also with specific (sometimes national) security regulations and guidelines.

  9. Pay attention to false info: there is huge misinformation also among experts. Some of them sell non-existing things like GDPR certifications. Currently, there is no such thing as GDPR certification out there. You can only get consultancy to help you to ** self-claim that you are GDPR compliant**.

  10. Don't Panic!: you can turn challenges into opportunities. GDPR is a great thing to demonstrate your users, customers, partners that you have a great business model that doesn't rely on violating users' privacy, which is a fundamental right, like freedom.


Subscribe to Chino.io newsletter

Keep up with the latest in eHealth