How healthtechs can turn compliance challenges into business benefits

Technological advances, medical research breakthroughs and the continued democratisation of what used to be hard-to-find information have empowered people to take control of their healthcare, fitness and nutrition as never before. The message ‘health is the new wealth’ is resonating across society and, as a result, healthtech is becoming a huge driver of wealth creation too. The world of telemedicine, wearables, connected healthcare devices, medical apps and digital health systems is an incredibly exciting, optimistic place to be for providers and patients alike.

The growth of the healthtech sector in the UK and continental Europe has been particularly impressive as innovators have sought solutions to challenges around ageing populations, an increasing prevalence of chronic disease, soaring healthcare costs and treatment backlogs – and to offer the choice and convenience today’s health ‘consumers’ demand too. Europe’s digital health market was valued at £50 billion in 2023 and is projected to grow at a compound annual growth rate (CAGR) of 22.3% between 2024 and 2030. But even those projections may prove to be modest, such is the energy on both the demand and supply sides of the equation.

Unique compliance challenges

While extremely attractive for innovators and investors, the healthtech sector does present a unique set of compliance challenges due to the particularly sensitive data it deals with and the extremely strict regulation which rightly goes alongside. Add in that many healthtechs are necessarily part of wider data sharing ecosystems (or wish to be) and Artificial Intelligence very often powers these solutions, and the data protection, information security and data/AI governance challenge can seem daunting indeed. It might even seem impossible to unpick what you should be doing with any degree of confidence at all, given the onslaught of overlapping and complex rules coming out as the authorities race to keep up with the pace of change. 

The good news is that there are pragmatic pathways healthtechs can follow which will allow them to have compliance confidence in the present, and to future-proof for whichever new regulatory requirements might come (as they surely will). In fact, building from strong foundations of data governance and Privacy by Design will stand healthtechs in good stead across the board, allowing them to reduce risk (and costs!), maximise trust and differentiate themselves from their competitors. Amid the digital health goldrush, many will have allowed themselves to become somewhat distracted from their very serious responsibilities around data privacy, security and ethics; we know from experience, it is regrettably common for organisations to have naively thought that these could be somehow bolted on once their offering was built. It is never too late to remediate weaknesses and we specialise in doing this at pace via ‘sprints’, yet we invariably end up lamenting how much better things could have been if an earlier, more expansive effort had been made.

True leaders are taking a very different approach to the laggards, recognising that a Trust by Design approach is the only way to build sustainable success in the healthtech space long term. These pioneers go beyond the good start of Privacy by Design (baking data protection into data processing and business practices) and into the realm of integrating genuine trust around data into the design and development process of every element of their products and services. This is where healthtechs can start to wring business benefits from the undeniably weighty compliance challenges their sector must grapple with. 

Securing partners, investors and users

By prioritising trust, healthtechs not only ensure end-users can have absolute confidence in their technology and business practices, they are also cementing their place in the digital healthcare ecosystem. Preparing healthtechs to push and pull data to and from other healthcare providers, including publicly funded healthcare systems like the UK’s National Health Service, represents a significant proportion of our work, so we know how high standards have to be. Interoperability and integration into existing systems is where so much of the value of healthtechs lies, but providers can hardly expect to be plugged in as they need to be if other potential partners fear they might be the weak link in the data chain and a source of counter-party risk.

The same concerns around regulatory, financial and reputational dangers are true for prospective investors: it has been shown that over half of Fortune 500 companies now feel the need to discuss how they address privacy and governance-related risks in their investor relations literature and the same proportion of CEOs plan significant investments in cybersecurity and data protection as a result. For all kinds of stakeholders, and across sectors, data protection, security and ethics issues are more than mere hygiene factors: anything less than leading practices can very often be a showstopper for partners and investors, not to mention end-users, the risks associated with poor practices are so abundantly clear.

It may be cliché by now to say that ‘data is the new oil’, but this is nonetheless still true. Those who cannot exploit data resources efficiently, safely and sustainably cannot hope to compete in today’s world – and especially not in the ultra-regulated, ultra-risk exposed health space. On the flipside, there are outsized rewards on offer for being a trusted data steward, no matter the size of the organisation: research has shown that for every $1 of investment in good data governance and security, the average company receives $2.70 in tangible benefits, and this return on investment holds for small, medium and large ones alike. Trust by Design is the only choice, whether approached through the cool logic of the balance sheet or empathetically, through the lens of ethical rights and wrongs when dealing with people’s very most personal data. It is instructive that the Edelman Trust Barometer Global Report found that only 73% of respondents say they positively trust healthcare sector businesses: there is clearly a significant brand-building opportunity here for those able to aim higher, and to convince the neutral and negative. 

Move fast, but don’t ‘break things’

So, how do we help our healthtech clients implement a Trust by Design approach? As you might expect, the answer differs according to the precise solution and use case, but there are common threads we might gather. Leading regulatory and data security standards are obviously foundational, but so too are the more principle-based considerations this compliance is built upon. Our initial assessment and gap analysis will ask: Is your data use lawful and well-justified throughout its lifecycle? Is this appropriately explained and within the expectations of your target users? Are you processing all the data which is required, but no more, so that you can maximise data utility without incurring additional risks? What actually are the risks you, your partners and your end-users are exposed to, and is everything possible actually being done to mitigate these? 

These are basic compliance questions but they tend to open up wider ones around data governance and ethics, and they will also force a proper reckoning with information security and investment on a forward-looking view too. This goes well beyond a tick-box approach, and will take a little more thinking and time, but the result is a clear-eyed understanding of your Trust by Design posture which you can then readily articulate (and evidence) to any and all stakeholders in your organisation’s growth. In the health data space particularly, that is going to be a very powerful thing. Healthtechs will certainly want to move fast, but unlike their counterparts in other tech sectors, they emphatically do not want to be seen to ‘break things’ when intimate health data is concerned.

High-risk, high-reward data use cases are a specialism for our expert team and we have helped real healthtech pioneers in and outside our ‘home’ GDPR territory to stake their claim to growth. Read our case studies to find out more about our NHS-linked clients, or get in touch to discover how you can most effectively leverage Trust by Design principles to make your mark on the healthtech market.

This article was authored by Wendy Spires, CIPP/E. This article should not be taken as legal advice. Trace is now a Datavant company.