In 2016 the EU announced its plans for making companies responsible for user data protections of all EU citizens, regardless of where the company resides geographically.
Woebot Health, rooted in scientist-practitioner philosophies, has been preparing for full compliance by May 2018., and and we can say it has been an exceptionally validating and dare I say it, even, enjoyable process. Yes, validating and enjoyable. Here’s why:
GDPR is different than HIPAA
What makes the EU’s General Data Protection Regulation (GDPR) stand apart from the United States’s Health Insurance Portability and Accountability Act (HIPAA) is that the former is a fundamentally person-centered approach. Much of this is owed to how GDPR was developed – beginning with European legislators seeking to understand the privacy issues that concern their citizens, and their opinions on the bounds of privacy tolerance, from both an ideological and practical standpoint.
While legislating for health privacy tech is a good idea, HIPAA focuses more on specific technical requirements than GDPR. It provides a clear roadmap for tech architecture that must be in place for minimal acceptable security standards, and is clearly interpretable and certainly helpful. One of my fears with HIPAA however, is that users can assume that just because something is HIPAA-compliant, it is 100% trustworthy, but this isn’t always the case. HIPAA compliant software companies can still be vulnerable to hacks and to other vulnerabilities that may be overlooked get hacked, perhaps due to poor user-centered privacy design decisions.
GDPR law, in contrast, is founded upon user-centered principles which means that developers are forced to think through privacy by design at every level of development, and either change or defend their work flows from the position of putting people’s privacy first. Instead of simply checking-boxes, this elevates the conversation and acknowledges the frank benefits of a much higher standard of data protection.
Woebot is User-Centered
We are fortunate to have already developed Woebot was originally developed from a user-centered position. For example, upon user request Woebot can delete data and thus mirrors the GDPR principal referred to as “the right to be forgotten.” Also, our informed consent procedures during app-onboarding are borrowed from best practice for human-centered research.
Leading the Way
Indeed, GDPR moves away from a perception that there is a “right” way of doing things versus a “wrong” way. Instead it forces a deeper, more nuanced level of design, grounded in sensible protection rather than prescription, imperative as new data-driven technologies come on stream, and can actually push the field further. And we think that is a very positive thing.
Documents & Details
Terms of Service
Contact Woebot Health
