Kaleidoscope have noted a particular increase in our clients from the Intellectual Property and Investment sectors, looking for our advice on the European market readiness for data-based technologies.
Our research has identified, for a number of clients, that a proposed product/market model, even as late as Series A funding, is not compatible with European data law.
Our experience is that many organisations, both within and outside the EEA miss the implications of different routes to market on their data compliance position, or understand the impact of payer/provider models in different health economies of their data strategy.
For example, one of our clients sells their product to service commissioners, where it is dispensed by primary care providers. In this example, they have a commercial contract with the commissioners, but are a processor under GDPR and also require a data processing contract with the primary care providers. They also sell their product through retail pharmacies, where any person can buy their product and download the accompanying app. In this case they are a controller. In a third use case, the customer can click through and obtain diagnostic reporting and advice. In this final scenario, they are a joint controller. In all three use cases, the same product is being used.
Another example is where there may be a conflict between business model and regulatory regime. For example, where a learning algorithm app supplier’s data model requires the retention of identifiable data (the GDPR definition is very broad), but they have established a business model in which they are a processor. GDPR requires a processor to operate under binding contract, which must include terms in which the personal data is destroyed at the end of the contract. If this organisation destroys the data, as required by law, they will not be able to retain the data required for their FDA compliance.