Compliance for AI in healthcare companies: a survey into GDPR and AIA compliance

| Yasmine Yachou | Artificial Intelligence

Yasmine Yachou, an MSc student at the Vrije Universiteit Amsterdam, is conducting research into the impact of data laws on healthcare startups and scale-ups. The thesis research is completed.


The aim of this research is to investigate in what manner innovative companies in the Netherlands can conduct AI research on healthcare data, while complying with the GDPR and the AIA.

The General Data Protection Regulation (GDPR) has been implemented in May 2018 and aims to regulate the way this interaction takes place. AI solutions require a large amount of data in order to be able to generate accurate results, which is why having access to enough data is crucial. However, for the use of AI in the healthcare industry, the data used to research and develop such AI technologies, consists of medical data, a special category of personal data, which is not allowed according to Art. 9 of the GDPR, unless done under very specific conditions.

This proves to be a big issue, especially for innovative tech companies that are researching these AI technologies, as these companies often have limited resources, as well as limited expertise or knowledge, leaving these tech companies in a position where they need to reallocate their resources in order to fit their budget, which often stunts innovation. Furthermore in April 2021, the European Commission has proposed a draft of a possible new regulation namely the Artificial Intelligence Act (AIA). This proposal of a new regulation aims to improve the interpretability of AI technologies, especially so-called high-risk technologies, and aims to regulate compliance with these new guidelines. This approach however, could further impact tech companies

Research survey: closed

In order to investigate the impact of these laws on innovatiev companies, a survey has been created.

The first part of the survey, consists of questions relating to the AIA, and aims to provide insights when it comes to how these companies currently comply to the AIA, before its implementation. This will therefore also provide insights in recognizing ways in which AI research on healthcare data can be conducted while ensuring compliance. The second part of the survey, consists of questions relating to the GDPR, and aims to provide insights when it comes to how these innovative companies experience complying to the GDPR and therefore in what manner compliance might affect their abilities to conduct AI research on healthcare data.

The surveyes were made in qualtrics and are now closed.


When it comes to how small innovative tech companies in the Netherlands go about complying to the rules and guidelines of both the GDPR and the AIA, it can be concluded that these selected companies comply sufficiently to the GDPR, as well as most aspects of the AIA. The results regarding GDPR compliance are shown in the chart below:

Although the GDPR is known for its “vagueness” and interpretability, most companies do mention to manage fine when it comes to researching and providing AI in the healthcare sector. This is mainly mentioned to be because of already existing guidance and information, such as advisory boards, publications of competitors and other existing regulations that are mandatory to abide to as well. However, a recognized issue when it comes to compliance to the GDPR is that it is often not prioritized, leaving companies to only implement the necessary measures in order to be considered sufficiently compliant, which is also a factor that takes into place because of the often- limited resources these small innovative companies have.

As far as the AIA concerns, it can be concluded that the respective companies seem to sufficiently comply to most aspects of the AIA, which can be explained by the overlap between the AIA and other, already implemented, regulations. Compared to the “vagueness” of the GDPR, the AIA is considered more straightforward in its approach, which could help improve the willingness to adopt AI in the healthcare sector. The results regarding AIA practices are shown below.

What’s next?

The thesis has been completed and is available for download here – Yachou thesis – GDPR AI compliance at healthcare scaleups.

img source: artur-luczka via unsplash

Author: Yasmine Yachou
Yasmine Yachou has completed both her BSc. and MSc. Information Sciences at the VU Amsterdam. Within ICT Institute, Yasmine works as a consultant, focused on privacy management.