Challenges for data sharing in the outcome economy and how startups adress them (part 2 — Regulatory compliance issues)
Overcoming technical barriers for data sharing may seem manageable. However, highly-technical development teams may find compliance issues too hideous to address.
The compliance is complex.
First off, regulations apply equally to all stakeholders. This means that you should have a reasonably good overview on the rules applied to your organisation AND the regulations that your clients or partners must follow. As a result you should be able to incorporate certain standards at your partners’ requests. For example, if your company is incorporated in EU with clients in Russia you must comply with the national law on personal data in Russia. This means that you must store personal data of russia citizens on the servers in Russia.
Second, regulations differ significantly across jurisdictions and industries. Even the highly harmonised rules of GDPR are interpreted and enforced differently depending on which Data protection authority is considering the case (for example see the research on GDPR enforcement here). Data sharing initiative may stumble upon a whole array of regulations across countries and industries, like KYC/AML in financial sectors, security requirements for medical devices (covering AI tools as well), national security policies for use of satellite imagery.
Third, historically, the regulations are often reactive to societal and technology developments. For example, GDPR entered in force a few years after various wearables, like smart watches, became household names. This creates significant regulatory uncertainty for technology creators. Say, your application provides a unique way to manage EHR using blockchain technology to validate certain transactions related to individual health data. At this day, it is unclear whether the authorities will consider that the blocks on the ledger can be seen as personal data processors, or whether the information that a certain transaction took place can be considered a PII (personally identifiable information).
Things to do to overcome compliance challenge to data sharing:
- Understand the applicable regulatory framework for your project AND other stakeholders’ business. You may be unable to access certain markets or industries without tackling the compliance early;
- Outline the competences required for addressing the compliance issues and whether to use in-house competences or a third party;
- Decide on the budget for handling compliance and distribution of costs among the stakeholders;
- Approach compliance from risk management standpoint. Many specialised consultants will recommend to address specific issues before the data sharing initiative is launched, even if it’s uncertain whether specific regulations will apply. Identify compliance-related risks and decide whether you need to address these now, create a contingency plan for the future, or simply accept the risk.
See more on the topic
- Technical challenges to data sharing
- Lack of legal frameworks for data sharing (coming)
