10 GDPR tips for health innovators

This brief post summarizes some of the key points relevant to Digital Health companies.

The key points for Digital Health companies

In the previously linked document and resources are listed and explained these key points:

Health Data: Check to see if you are really collecting health data. No health data means fewer obligations and risks.

How, why, and to whom to demonstrate compliance: Healthcare has many stakeholders to whom you need to sell or talk. All of them will ask you about data privacy. Many of them don't know what a good answer looks like, so be prepared more than anyone else.

The Consent: it's the fundamental step before collecting any data, especially health. Check more here.

Data Protection Impact Assessment - DPIA: GDPR is risk-based. DPIA helps you to figure out risks and demonstrate that you have done work.

Data Protection Officer - DPO: Even health startups may need a DPO. Check with multiple specialists because DPO can be costly.

Data Security and other technical obligations: old and obvious things (e.g. encryption, pseudonymization, anonymization), just refreshed and having different meanings and legal consequences under GDPR.

Contracts with Data Processors and Partners: if your cloud tools are not compliant, then you are not too. Using "normal" tools and databases in the cloud for health data and apps is one of the major mistakes.

Check other regulations: GDPR is General. To ensure compliance with your health data and apps, you must also comply with specific (sometimes national) security regulations and guidelines.

Pay attention to false information: Experts also spread misinformation. Some sell non-existent things like GDPR certifications. Currently, there is no such thing. You can only get consultancy to help you self-claim that you are GDPR compliant.

Don't Panic! You can turn challenges into opportunities. GDPR is a great way to demonstrate to your users, customers, and partners that you have a great business model that doesn't rely on violating users' privacy, which is a fundamental right, like freedom.