Since we are walking into a new technological era for healthcare, and with the proliferation of Health Tech startups and innovations, shedding some light on health data and the measures implemented to protect them becomes necessary.

As of May 25, 2018, the date of implementation of the General Data Protection Regulation (GDPR), businesses processing EU citizens’ data, had to change their concept of how to collect data. Therefore, instead of collecting as much data as possible, businesses are now required to collect only the minimum amount of data they need to offer a particular service.

In this article, we are going to address (1) the impact of GDPR in the Health sector and (2) the measures taken to limit Cybercrimes,


(1)  The impact of GDPR in the Health sector

Talking about personal information in the health sector is too delicate because the data collected by Health Tech is considered more sensitive than the specific information collected by non-Health Tech companies. Therefore GDPR took specific measures to ensure the protection of this “sensitive information.”

GDPR contains three important definitions that pertain to health data:

The GDPR defines data concerning health as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”

Genetic data is defined as “personal data relating to inherited or acquired genetic characteristics of a natural person. The data gives unique information about the physiology or the health of that natural person, which is the result of the analysis of a biological sample from the natural person in question.”

Biometric data is “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person. It allows or confirms the unique identification of that natural person, such as facial images or dactyloscopy data.”

To use this Health as mentioned earlier data, one of three conditions must apply as the person must give his “explicit” consent to process with his data; the processing is necessary for medical diagnosis; the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products.


In addition to that, with GDPR, the patient was introduced to several rights, such as the right to be forgotten. With this right, the patient can ask whenever he wants to have his data erased. The right to data portability: with this right, it is easier for the patient to allocate his data from one place to another.

(2)  The measures taken to limit Cybercrimes

GDPR implements tight security measures in the use of personal data. Therefore, every organization has to report to the Data Protection Authority (DPA) the breach of its data within 72 hours of discovery.

GDPR makes it essential to conduct a data assessment and obtain a view of your sensitive data and the associated workflows.

Besides, GDPR requires most applicable organizations to assign a Data Protection Officer (DPO) who is responsible for: monitoring compliance and training staff, providing counsel on data protection impact assessments, engaging with the relevant authorities.

Cybersecurity threats are evolving with time. For this reason, in addition to the GDPR measures, startups’ number 1 concern should revolve around data privacy and digital security, especially when talking about Health Tech startups giving the fact that the nature of the data they hold is, “sensitive information.”

Startups should consider implementing a wholesale cybersecurity strategy and tools to protect the sensitive data as much as possible.

For example, Encryption is one of the most useful data protection methods for healthcare organizations.