Why are DPOs from hospitals so scared of the cloud in 2024?

Being fresh from DMEA this month, I still see a concerning problem for European digital health companies: hospitals and clinics are (still) reluctant to adopt cloud solutions.

And the implications are plenty: software harder to improve and maintain, higher maintenance bills, and a decrease in competition (it’s way harder to create a company that delivers and maintains software on-premise vs SaaS)

Plus, many times, the DPOs (aka Data Protection Officers) stop projects due to the absence of legal guarantees about the patient's privacy.
So, how do we deal with these challenges? Well, you may find your answer throughout this post!

Why are DPOs so concerned?

While there have been concrete legal challenges in the last years with the whole issue of EU-US data transfers and the use of typical cloud providers like AWS, Google Cloud, or Microsoft Azure, this is no longer the case in 2024.

What remains is an overall lack of trust in the cloud as a viable way of meeting the demands of modern hospital infrastructure while maintaining patients' privacy (and the risk of the hospitals being fined to the absolute minimum).

In the latest years, working side by side with digital health companies that try to appease the concerns of hospitals’ DPOs, I’ve found the following four reasons that may cause the DPOs’ concern:

💡​ Lack of standardisation in the certification process for GDPR compliance (there are certificates out there, but first-hand experience demonstrates these are not universally recognised—so what’s the point?).

💡​ Less control on data security: Cloud storage may introduce potential security risks, such as data breaches, unauthorised access, or data loss, which could have huge consequences for the hospital.

💡​ Data ownership and control: hospital DPOs often need assurance that they retain ownership and control over the data stored in the cloud. They must ensure they can access, manage, and delete data as needed without relying solely on the cloud service provider.
In traditional on-premises environments, hospitals have a greater degree of control over their data and IT infrastructure (this is why DPOs are accustomed to having full visibility into how data is stored, accessed, and protected within their facilities).

But things are changing a bit (and slowly).

Last year at Bits and Pretzels, we saw that the unanimous advice for B2B companies selling to hospitals was to offer on-prem delivery only.

Is that still the case today? Certainly there is an uptake in cloud solutions from hospitals, likely the Krankenhauszukunftsgesetz in Germany played a big role, so offering only on-prem today may be too restrictive for service providers.
Having said that, we are a long way from a unified way of assessing whether providers are actually GDPR-compliant.

Don’t know about the Adequacy Decision? Read our blog article here, or get a free 30-minute call with our data protection experts.

What you should do to win a deal

Tough questions from a customer’s DPO can be risky for your deal's success (And, still, there is no GDPR certificate to show to prevent those tough questions!)

So, what do you need to do to sign the deal if you’re selling your solution to hospitals (and you are relying on a cloud provider)?

Here are four points I think can help you as a general direction:

Try to be as constructive as possible. Demonstrate your commitment to compliance by aligning your cloud solutions with industry-specific standards such as HIPAA, GDPR, and eventually ISO 27001.

Build a product with privacy by design in mind. If you show you have built your solution around your users’ privacy and implemented all the measures required to guarantee it, the DPO will likely be less restrictive.

Work hand-in-hand with DPOs to address their specific compliance requirements and concerns. Tailor your solutions to meet their needs. Ultimately, the DPO is your friend, so do not make it your enemy.

Provide good documentation. The more detailed your documentation is, the less doubts may arise. The set of documents you need to provide is both legal and tech—you will be asked to show a DPA, risk assessment, etc.
Want to get your hands dirty? That’s no problem; we will look at them in the next chapter.

⚠️ Unfortunately, there is not a widely recognised GDPR certificate yet. Third-party certificates exist, but they are still not useful enough.

🔎For each target, you need to do different things to show your compliance.

➡️ For customers: you will need to fill out Vendor Risk Assessments, which are based on the content of your Risk Assessment and DPIA. You will also need to show you have a good DPO.

The documentation you need to provide

Ok, let’s dig deeper into the documentation (in the end, this is what you need to deliver to the hospital).

There are two areas you should get covered when talking with a DPO in a hospital.

1️⃣​ Have all the documentation ready and demonstrate that you have a professional approach towards compliance. We can split the documentation into two categories:

💼​ Legal documentation (such as Risk Assessment): the goal is to convince the DPO that you are doing your legal homework.

​📄 DPA: The Data Processing Agreement is the baseline of the relationship between you and your cloud provider. It is needed in case maintenance is needed from a company established in the EU. And, the hospital’s DPO will definitely ask you about it.
Plan this ahead as it is an important document that requires legal (and tech) expertise.

🧰​ Technical documentation: it’s a set of docs to convince the hospital's tech team that your app/service has all the necessary security measures in place. Examples include pen test reports, vulnerability assessments, logs, and audit trails.
If you're in this space, the gold standard is to have seals (we provide our own as well), as well as data security and privacy whitepaper with diagrams and legal justifications for why you're trustworthy.
Pro tip: Be clear and state that maintenance access needs to be under specific conditions (e.g., using VPNs).

2️⃣ Get your team ready to answer follow-up questions: DPOs will probably ask many tough questions about how you deal with data protection. At this point, make sure to involve your DPO in the discussion (and he/she must be prepared in both legal and tech topics if you want to make it as smoother as possible).

By the way, We have released the first batch of templates for free. Make sure to check them out!

A challenging (but feasible) milestone

Understanding and addressing the concerns of DPOs is crucial to succeeding in the adoption of cloud-based solutions within hospitals (and, most importantly, to signing your deal).

Offering robust security measures, regulatory compliance assurances, and transparent communication can help increase customers' trust in cloud solutions.

📢 Fun fact: in Germany, there are 2200 hospitals DPOs. Do they have a uniform way of dealing with these questions? Of course not 😉

This is why planning ahead and having the right legal - tech partner can be key to your business — and we at Chino.io have been doing this for almost 10 years!

Need help to deal with your customers and their DPOs? Chino.io, your trusted partner

Working with experts can reduce time to market and technical debt and ensure a clear roadmap that you can showcase to partners and investors.

At Chino.io, we have been combining our technological and legal expertise to help hundreds of companies like yours navigate EU and US regulatory frameworks, enabling successful launches and reimbursement approvals.

We offer tailored solutions to support you in meeting the GDPR, AI-Act, HIPAA, DVG, or DTAC mandated for listing your product as DTx or DiGA.

Want to know how we can help you? Reach out to us and learn more.