Compliance for AI in healthcare companies: your help needed!

| Sieuwert van Otterloo | Artificial Intelligence

Yasmine Yachou, an MSc student at the Vrije Universiteit Amsterdam, is conducting research into the impact of data laws on healthcare startups and scale-ups. If you work at a AI and healthcare company, please help by participating in the survey for this research.


The aim of this research is to investigate in what manner innovative companies in the Netherlands can conduct AI research on healthcare data, while complying with the GDPR and the AIA.

The General Data Protection Regulation (GDPR) has been implemented in May 2018 and aims to regulate the way this interaction takes place. AI solutions require a large amount of data in order to be able to generate accurate results, which is why having access to enough data is crucial. However, for the use of AI in the healthcare industry, the data used to research and develop such AI technologies, consists of medical data, a special category of personal data, which is not allowed according to Art. 9 of the GDPR, unless done under very specific conditions.

This proves to be a big issue, especially for innovative tech companies that are researching these AI technologies, as these companies often have limited resources, as well as limited expertise or knowledge, leaving these tech companies in a position where they need to reallocate their resources in order to fit their budget, which often stunts innovation. Furthermore in April 2021, the European Commission has proposed a draft of a possible new regulation namely the Artificial Intelligence Act (AIA). This proposal of a new regulation aims to improve the interpretability of AI technologies, especially so-called high-risk technologies, and aims to regulate compliance with these new guidelines. This approach however, could further impact tech companies

Research survey: please participate

In order to investigate the impact of these laws on innovatiev companies, a survey has been created.

The first part of the survey, consists of questions relating to the AIA, and aims to provide insights when it comes to how these companies currently comply to the AIA, before its implementation. This will therefore also provide insights in recognizing ways in which AI research on healthcare data can be conducted while ensuring compliance.

The second part of the survey, consists of questions relating to the GDPR, and aims to provide insights when it comes to how these innovative companies experience complying to the GDPR and therefore in what manner compliance might affect their abilities to conduct AI research on healthcare data.

The different parts of the survey can be found using the following links:

Part 1 (AIA, to be filled in by technical staff in an innovative healthcare company):  https://vuamsterdam.eu.qualtrics.com/jfe/form/SV_3kiMetYaBV25iQK

Part 2 (GDPR, to be filled in by the GDPR responsible in such company): https://vuamsterdam.eu.qualtrics.com/jfe/form/SV_4Tt64VkiwUf6FIq

 Expected results

Preliminary results show that when it comes to compliance to the AIA, companies mostly claim to not yet have implemented a proper risk management system that can identify possible risks and measures to counter such risks. However, when it comes to the use of data within the company, all companies claim to have implemented the necessary measures when it comes to training, testing and validating their data.

Preliminary results show that when it comes to the experience of complying to the GDPR, companies claim to find the components regarding the rights of the data subjects and the notification of a supervisory authority the easiest components to deal with. On the other hand, the companies generally claim to find the component of processing special categories of personal data, the most difficult to deal with., due to the medical data that is used for the technologies they provide. The privacy by design and default is furthermore also a component of the GDPR that companies claim to find quite difficult to deal with, due to the often considered unclear guiding principles of the GDPR.

What’s next?

The research is currently still up and running and Yasmine is looking for more innovative companies that develop AI technologies in the healthcare sector to interview. For each company, she is looking for someone that:

  • is a developer or in a technology role within their company
  • is the GDPR responsible within their company

Would you be willing to participate in this research, please contact the following email: y.yachou at student.vu.nl. The interview will take about 60 minutes and will greatly help with the research. Thank you in advance!

img source: artur-luczka via unsplash

Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.