Data Protection 101: Buy platform, hire consultant, hire someone?

Digital health entrepreneurs face hard choices early on.

You have to develop a compelling product and take it to market.

But you also are operating in a highly regulated space.

So, you need to also focus at least some attention on data privacy and security. In this market these aren’t a “nice to have”, they’re often a requirement to be able to launch, close your first deal or even do clinical studies.

One of the bigger problems to solve is Data Protection (although it is definitely not the only one). You usually have 3 options on how to deal with it.

‍

Here we look at the pros and cons of each one!

Pay for a Data Protection platform

Pros:

✅ Work at your own pace

✅ Easy checklist-based approach (if the platform is well designed)

✅ Quick to become compliant

‍

Cons:

❌ Needs significant time from someone on your team

❌ Can be (very!) expensive - most of the well known platforms are at the €10k a year price tag

❌ No real validation of legal requirements or technical decisions

‍

Regardless of how well designed and implemented a platform is, it is still just a set of checklists. It doesn’t make the hard decisions for you or answer your complex compliance questions. It just helps you record the answers and store them.

In practice, we saw companies spending thousands on these platforms, which they used to reply as fast as possible with a “YES” or “N/A” to all questions, only to be faced with basic questions from vendor risk assessments and not knowing what to answer.

Disclaimer for transparency: We actually offer our own platform as a service, ChecksME. We believe this provides a useful service, but we are completely aware that it cannot guarantee your compliance. For instance, it cannot make decisions for you like whether you are better off being a data controller or data processor. Nor can it look at the details of your implementation and judge whether you got your data minimization obligations right.

‍

Hire a consultant

Pros:

✅ Guaranteed to get you compliant (if they are good)

✅ Benefit from expert advice (not only gathering answers but also asking the right questions for your specific case)

✅ You can actually offload responsibility to them

Cons:

❌ Generally quite expensive

❌ Hard to know how good they are

❌ There’s a potential conflict of interest: billing per hour usually doesn’t lead to efficiency

This is usually the most popular option, since a lot of entrepreneurs see right away that even with the aid of a platform, data protection is not something they are looking to specialize on. The biggest problem is the inherent problem of hiring a consultant (whether is a DPO or an accountant): how do you know if they are good? The best option is to get personal recommendations from peers and to do your research on the success stories each provider can offer.

To keep in mind: sooner rather than later, a consultant will need to start billing by the hour, if they don’t do it from day 0. And here is where things get tricky. They will be expensive to change for you, but at the same time they will be expensive to keep: they don’t get paid for efficiency.

To see how we tackled this issue for our clients see below.

‍

Train or hire your own in-house specialist

Pros:

✅ Brings the expertise in-house

✅ Potentially more accountability and responsiveness

✅ Deep knowledge about your product, company and business is guaranteed

Cons:

❌ Unless you luck out, a direct hire will likely have far less experience than any consultant.

❌ They will still need access to a compliance platform or similar for efficiency, and will probably still need a consultant for final validation of any decision

❌ As any other employee, may leave at any point in time

At a certain scale, you will need to start bringing some of the expertise in house. However, (for startups at least) the workload shouldn’t require a full time position, and if it’s part time it pretty much leaves you with a consultant who likely lacks the experience. Moreover, it can be challenging as a non-expert to find the right person for the role.

‍

How does Chino.io do it?

For a long time we struggled to find the right balance. We started out creating tech products ourselves, namely a Backend as a Service that digital health companies can use to meet the stringent data protection requirements in healthcare.

We then realized that our users needed consulting to understand how to actually use our services. But charging per hour felt wrong.

At the same time, some clients have more challenges than others, and even for companies of similar size, the difference in effort can be 10X. What is fair then?

We opted for a combination of all of the above, optimising continuously to strike the right balance:

• A platform, that guides all the process you and your company will follow to become compliant. All the assessments, policies and tasks are there. No surprises, no google docs, no out-of-context comments, no indefinite amounts of work. A predictable proven process.
• An expert consulting team, who invests their time exclusively in the parts that add the most value to our clients: getting you onboarded the right way, setting you up on the platform, verifying the input you give us, redacting and validating policies, and giving you the right answers to the tough questions when you go out there and sell, or once your users start asking them. No, they don’t get paid to copy and paste, or to formal excel spreadsheets, because there is a platform that takes care of that already for them. Each case gets a custom implementation project with guaranteed results, and a certain amount of hours per year they can use (with the option to get more are a reasonable price)
• Last but not the least: you, or the contact point you assign in the company to work with us. We don’t believe companies need an in-house lawyer to deal with GPDR or HIPAA, but a person who can interact with one is really, really important. As much as we would like to be a fly in your office wall, most of times we are going to be there once you call for us. And it’s quite important you call us a the right time. And what we found works best, is that there is someone that takes that responsibility in your company, and acts as the in-between business and legal/privacy issues. This person usually learns by working together with us on the measures we suggest, and also receiving training directly from us. They also have the ability to work in any policy or assessment at their own pace leveraging our platform, if they so desire.

While we are constantly improving, we believe we are getting to the right balance between peace of mind (both in terms of compliance risks and budget control) and a sustainable business model that we can continue scaling.

If you want to hear about how my team takes a different, holistic approach to getting you compliant, please feel free to contact us!

Need help figuring it out? We’re here to help! 🙋

Chino.io is the one-stop shop for solving all privacy and security compliance aspects.

As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.

Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, book a call with our experts.