Data, dignity and discretion: Navigating key GDPR challenges in women’s health

One of the key challenges with closing the women’s health gap and expanding the number of offerings available to women (in an industry already worth over $60 billion globally) is surely the ability for companies to be able to use women’s health data in a transparent and trustworthy manner.

To do this with EU and UK consumers necessitates careful consideration of the EU and UK General Data Protection Regulation (together the GDPR). Not only does GDPR compliance signal that personal data is being used in a sensitive and appropriate manner to women consumers, boosting a health product’s reputation and credibility, it also avoids costly risks that can severely impact FemTech companies from startups right up to large multinationals - since GDPR fines can reach up to 20 million euros or 4% of a company's annual worldwide turnover. Below we discuss key considerations for compliance.

Privacy: building trust

For FemTech to fulfill its potential in addressing the historically neglected area of women’s healthcare, consumer trust is essential. Forbes recently reported that out of the health apps reviewed in a leading survey, women’s health apps were amongst the least trusted in terms of how user information is handled. This perception has been reinforced by data protection authorities, such as the UK ICO, investigating period and fertility tracking apps, in particular. 

The lack of trust in the women’s health space highlights consumer concerns around the handling of (sometimes very intimate) data. Earning that trust by doing things properly in terms of compliance can make you appear distinct from competitors. To start demonstrating such an approach, it’s a great idea to carry out a Data Protection Impact Assessment (DPIA) for your main data processing activities. Not only will this likely be mandatory (the GDPR requires a DPIA to be undertaken when processing health data or using innovative technologies), a DPIA offers a structured means of running through key issues that might impact women using your product. The GDPR also contains in it the helpful principle of data protection by design & data protection by default, which is the idea that you “bake in” privacy at each stage of a product or service from design to launch. Putting this principle into practice will be looked upon favourably by consumers and regulators alike.

Help! Am I a data controller?

A key question under the GDPR is whether you constitute a data controller or processor. Data controllers are fully responsible for GDPR compliance as they determine the ‘how’ and ‘why’ of any data processing, while processors have more limited obligations. Assigning these roles is crucial in terms of liability but also involves a fact-specific analysis i.e., you cannot just pre-determine who is a data controller or processor - the position depends on how and why the data is processed in practice. Unhelpfully, this is also an area where there is plenty of conflicting and developing case law. In turn, mapping out all the relevant parties to ensure contractual obligations and liability are apportioned appropriately is key. 

Lawful basis and purposes of processing

A hurdle for women’s health businesses will be identifying a legal basis under Article 6 of the GDPR for each of their processing purposes. What complicates matters further is that the processing of special category data (which includes health data) also requires a suitable legal condition under Article 9 of the GDPR to be identified. For health apps and other digital services collecting users’ data, explicit consent is likely the relevant condition and there is detailed draft guidance available at an EU level on the high standard of consent required here. However, for those in the industry carrying out research and clinical trials, the relevant legal basis and condition relied on may vary across EU Member States, making the drafting of the Participant Information Sheet (PIS)/Informed Consent Forms (ICFs) challenging.

Privacy notices remain a struggle!

Drafting a clear privacy notice will be at the heart of ensuring GDPR compliance and public trust - yet many companies continue to issue standard form templates that don’t meaningfully explain how a health digital service processes the data being used. Where you are providing a digital service like a FemTech app, it will be key to ensure that the information is presented in a format that works on any mobile device and utilizes pop up notices, graphics and videos where relevant.

The art of asking for less (data)

Those in the women’s health space will be aware of the juxtaposition between needing lots of data to provide a high-quality service and the GDPR principles of data minimisation, purpose limitation and storage limitation. These GDPR principles encourage controllers to only process as much data as necessary for the purposes of processing and to delete data as quickly as possible. Therefore, it will be important from the outset (and before you launch your product) to ensure that a policy on these issues is outlined and that it is carried out in practice. 

It might be possible for some purposes to anonymise data and take it out of scope of GDPR - but the standard for such anonymisation is very high, with a lot of case law behind it. For example, key-coded data is not considered to be anonymised data but rather pseudonymised data, and so will still be subject to GDPR requirements. It is also worth noting that anonymisation and pseudonymisation are highly contentious topics, and there is new and very technical guidance at both an EU and UK level.

Security

While a personal data breach always looks bad, a regulator is more likely to be concerned where health data is compromised. Ensure that you have strong measures in place including encryption, patching and access controls. If your service is a digital one, it’s also wise to try and store data on a consumer’s device as far as possible. Controllers should also undertake sufficient due diligence on vendor security; it is all too common to have good in-house security practices but to suffer a security incident involving customer data (which you as a controller are responsible for) because of poor data hygiene at a vendor.

Control and discretion: women’s rights

Often women will come to use FemTech specific products and services because they feel let down by traditional health channels, which are often not focussed on women. This ensures that users have enough control and discretion over their data. At the heart of this is facilitating data subject rights in a frictionless manner. There should be obvious and user-friendly ways for women to access, correct and delete their data - these mechanisms should be integrated into the design of FemTech devices and apps in particular.

Tracking trouble

Women consumers may understandably feel discomfort if they look up a service related to sensitive issues like fertility and find they are being marketed to with targeted ads on the subject. To avoid appearing intrusive, ensure that your cookie policy and banner clearly explains how you use cookies to track users (if you do). It should always be easy and obvious for users to reject so-called “non-essential cookies” that relate to advertising and personalisation as well.