An interview with our CEO - Jovan Stevovic

We interviewed our CEO, Jovan Stevovic, and asked him to share some learnings after over 10 years helping digital health startups.

What are the top three data protection challenges for startups?

“Well, the first challenge is to understand what are the applicable regulations, what is the roadmap, what are the really the challenges that are ahead of the startup. Every sub-domain or business strategy presents different challenges.”

“For example, different countries have different regulations, different standards. A startup roadmap starting from Italy or Germany, then going to the UK or going to the US will be much more different than just focusing on a B2B simple solution in one of the countries in Europe.”

So, the first challenge for startups is understanding what is the roadmap and what is awaiting the startups.

“The second challenge, typically the biggest challenge for startups, is solving what needs to be solved in the right moment, which is typically before signing the first contracts. Because you need data protection in order to show trust to your customers, they will demand that.”

You need to figure out with whom to work, [to] solve the first steps in data protection in order to sell the first contract.

“You need to figure out with whom to work, how to approach this, and solve the first steps in data protection in order to sell the first contract. But typically, that means you need to find the resources, both financial resources and work resources to solve those first data protection challenges and then be able to sell. So, that's the "chicken and the egg" typical problem of startups in the first phase.”

“And the third challenge for startups is also somehow the first step that a startup should do: trying to use data protection and regulatory topics in general as an advantage or as a strategic decision maker or guidance for your company.”

In some countries, it's much easier to get the data that you may need.

“For example, pseudonymised or anonymised data of a certain type, it's much easier to get them in some countries than others, not necessarily really driven by the data protection framework, but also the structure of the healthcare system, the structured data that you may have and the specific regulation to access to that specific structured data that you need.”

“It may be much easier to do it in the UK or US or perhaps also Italy than the other countries. Since we are in the digital health domain, we typically need data to build, to train, to build the products, to train the algorithms, the AI, and we need specific data for specific AI training and so on.”

“So, using data protection and regulatory frameworks and the setup of the healthcare system in the specific country must be considered and you must use them to define your business product company strategy accordingly in the best way.”

What's the hardest part of becoming GDPR compliant?

“Well, there are several aspects that are challenging. Some of them really depend also on the business that you are facing.”

“In B2B selling B2B to hospitals, the hardest part is creating the necessary documentation to convince your customers that you are compliant, that you are trusted, learning the jargon, being able to pitch, to present, to sell your compliance also during the sales process of your product.”

“So, in B2C domain or B2B2C domain or where you have direct contact with end users, perhaps the hardest part is introducing consents and requests that potentially could be limiting your product or limiting the sign-ups or limiting the acceptance of data sharing and giving you the data for your product.”

“So, in the B2C domain where there are end users involved, the hardest part could be fine-tuning the application, the service in a way that you get more data, as much as possible, for training your algorithms or monetizing the data if that's your business model.”

So, overall, GDPR is not really that complicated. It's kind of standardized.

“One challenge is also combining legal and technical know-how and pulling out or assessing your application on legal and technical matters and making sure that you have the complete legal technical documentation for B2B domain or reimbursement pathways and so on. But overall, it really depends on your business model, your target customers, and what you really need to do in order to reach the sufficient level.”

“Another challenge with GDPR compliance is that you need to understand what is the sufficient level that you need to reach. It's not the same for B2C and B2B companies.”

“For B2B, you need to do much more than B2C, especially at the beginning, especially in the first deals, first customers.”

You may get your first customers in the B2C space without any GDPR compliance.

“Many startups do that, that's how it is and that's how it works.”

What does GDPR compliance cost and what is the most expensive part?

“GDPR compliance became very cost-effective over time. Initially, 2018, '19, '20, GDPR compliance was costing €10,000, €15,000. Nowadays, we are talking about a few hundred euros perhaps per month if it's included in the Data Protection Officer service that any digital health company may need.”

So, it's really a few hundred euros of subscriptions or cost.

“The most expensive part is typically at the beginning where you need to implement a bunch of policies, documents, do the assessment, and so on. But again, with the new service providers out there like us, it became a subscription absorbing the initial cost, reducing the initial impact, and so on.”

“So, I would say the most expensive part of it is doing the work, allocating some time at the beginning to do the work, so your work is more expensive.”

Choose the provider that reduces your work and that simplifies your life at the beginning.

“And the most expensive part later on is growing and optimizing your compliance with your growth, with your stages, and with your needs down the road.”

What's the biggest security threat for digital health startups?

“Small errors. Small errors like using some tools that you shouldn't use or implementing some data transfers with some tools before you ask for consent.”

“This is not actually a security threat because this is more like a compliance threat, but that in the last 10 years, this type of errors showed to be more risky for startups than pure security hacks or security data breaches and so on.”

“Because frequently digital health startups are not managing millions of users, they're managing a few hundreds of users, thousands of users, a few hundreds of thousands, but not millions. The volume of data typically is not that huge and the outreach is not that huge.”

“So security risks are increasing of course, like in any other business down the road when the startup becomes a scale-up, when it starts growing.”

In the initial few years, the biggest security … threats are those small errors that end up in newspapers

“But in the initial few years, the biggest security or compliance threats are those small errors that can make you end up in newspapers or canceling big contracts that you may have with the insurances or creating like a class actions like some examples of Femtech startups that still are struggling with some class actions after several years from the moment they committed some smaller errors that many startups do. So that's the biggest risk for digital health startups in general.”

When should a startup get ISO 27001 and how much does it cost?

“ISO 27001 is a certification to demonstrate trust. It's rarely really mandatory, it's mandatory only in a few reimbursement frameworks or a few national tenders.”

“When it's really needed, most of the cases is to demonstrate trust to your B2B customers, to demonstrate that you have committed, that you did some work on security, not only GDPR compliance perhaps, but also on the security in your company.”

So when you should get [ISO27001?}. In the moment when you really need to demonstrate this trust.

“Perhaps in the B2B space you can get the first customer without ISO 27001, but the second, the third, the fourth one, I would recommend it.”

“Also when it comes to the costs and the effort, it became a very cost-effective or affordable certification to get. There are solutions like the one we have built that structure the ISO 27001 ISMS documentation creation and reduce really the effort on your side in terms of work, but also on consultant side and cost overall. So it became really cost-effective, a few thousand euros and you get the ISO 27001 certification.”

A few thousand euros and you get the ISO 27001 certification.

“It became one of the easiest certifications to get due to the fact that it's standardized, many consultants, many solution providers, many technologies involved, like in our case at Chino.io, we invested a lot to streamline this work and to bring down the cost and efforts on the ISO 27001 ensuring that you still implement what's really needed, all the requirements and all the compliance things that you need to have.”

‍