Search
Follow me:
Search
Follow me:

Global Privacy Considerations for Healthcare IT & FDA Regulated Startups

Play episode

Darshan

Hey everyone, welcome to another episode of Darshan talks. My name is Darshan Kulkarni. As you all know, the goal of this podcast has always been to talk about the life sciences to talk about things that impact the life sciences. And one of the things that keep popping up is the idea of privacy, the evolving and emerging role of privacy and the discussions around it, and how that impacts the life sciences. And if you're in clinical research, if you are in marketing, if you are in PR, if you have if you are a medical device that has patient data, every single one of you are probably impacted by the discussion around privacy. Along the way, I, I follow a lot of really interesting people on LinkedIn. And one of the most interesting people I follow is an Amish shy Austrian. And Avishai is the head of privacy at axon. He is both a qualified privacy solicitor in England and Wales and also in Israel with a strong background in corporate commercial law. And, and what we're discussing is really how this all comes together and have a shot. Before I jump into some questions. Is there anything I missed? Would you like to answer any questions? clarify something I said or didn't mention? No, I think that was, first of all, thank you very much Darshan, for having me having me on the podcast, the chat always, always great to chat to friends all around the world. And that's what's amazing about this, this time that we're in now is that it's so easy just to hop on virtual chat and just

Avishai

have a conversation. So I love it.

Darshan

You never he never quite got this chance before. I'm gonna try. Let me ask you, oh, let's put some things out of the way. Because as lawyers, we kind of have to worry about this. This isn't legal advice. So if you're interested, I need legal advice. I wish I Why should they contact you?

Avishai

LinkedIn is a great place to find me. I'm very, very active there. So just drop me a line. And we'll we'll get the conversation started from there.

Darshan

Perfect. Um, so let's start with a couple of different questions. So we had a very brief conversation, as you know, started before the, this this starting the interview, and you talk to me about how you were born in Harrisburg. And, and yet here you are a solicitor in in Wales and the UK and and well, in England, Wales, and also in Israel. How does that all come together? Why Why did you come Bring these pieces together from a global perspective? And Yet, You're both not only an expert in, in privacy, but also corporate and commercial. So how do you bring that all together?

Avishai

Yeah, so a bit of a you highlighted a bit of my split personality there. But yeah, born in the US grew up in Israel, trained as a corporate and commercial lawyer went to law school here in Israel, trained as a corporate and commercial lawyer worked at one of the big firms and like every good young corporate lawyer, I did really everything I did, you know, high tech mergers and acquisitions, bit of antitrust even which was fascinating, and really fell in love with the area with privacy and data protection, and how basically how technology and the law, interact and sometimes clash with each other. And realize I wanted to develop my to have a career in this fascinating field, looked around at the Israeli privacy regulations and realized they weren't really the gold standard of privacy around the world. And they were talking about this new emerging regulation called GDPR. your listeners may be familiar with it, which is the privacy regulation that applies in the EU, that was supposed to be this new gold standard of privacy. And I said, great, you know, let's let's do that. And so I found the, you know, I knew of a UK firm that was actually based here in Israel. So I applied to work there and got my English qualification got my privacy knowledge up to date, and I really founded the privacy practice at esterson, which I had today. So that's, that's my journey. My background is very much in, in law and in, you know, in with with a commercial with really a commercial hat on which is very important for anyone dealing in this area of privacy because you have to be extremely, extremely commercial minded and understand, you know, what the client is trying to achieve, not just what the law actually you know, What the what the black and white law tells you, you can do where you can't do, because a lot of it is about achieving what goals you're looking to achieve. And, and so that's, that's kind of my that's my background, that's where I got to where I am today

Darshan

was with you. And your last sentence actually reminds me of something that I read about you and you made this comment. He said clients aren't interested in legal advice. They're interested in outcomes and solutions. And I think that's, that's so true. Because my experience is when you talk to clients, they're, they're coming to you with the problem. They don't care how you solve the problem. They want to know that they're solving the problem and the at the end of it, they're gonna have something that they can hang their hat on, in your experience, what is the impact of your statement? What have you, when you see young lawyers coming up? And they are, let's say becoming privacy experts. And they say that, you know, what this what the law says? How do you guide them and advise them to to do better?

Avishai

Yeah, so it's, it's true, it's, it's actually something that applies to the entire legal profession, not just the privacy, but it's true, especially in privacy. I'll get into that in a second. But, you know, we are so as lawyers, we're so used to, you know, we go to law school, and we read the laws. And we, you know, we read the the case, the case law, and we study everything, and we have all this legal knowledge. And the first instinct when someone comes to you and asks you for advice, because that's what you do you give advice. The first instinct is to say, I have all this legal knowledge. And I know all of these things, let me give you all of that information in, you know, in whatever format, you know, a long email or notes or an a legal opinion, or whatever it is. But in the end, what the person has come to you for advice for is they want to know how to move forward. So they want to know whether they can you know, whether they can move forward with a clinical trial, whether they can, you know, market, this medical device, whether it's ready, whether it meets the standards and the regulations, and they don't really care about what you know, what the law says, or what you studied in law school. And so changing, flipping that mindset and saying, Okay, what is the what is this person actually trying to achieve? And how can I get them there faster, that is in, in my view, and in the view of, you know, the view that we have in the firm, and in my team, that's exactly what legal advice really should be. And I said in the beginning that this is especially true about privacy, because if you look, for example, at legislation, like GDPR, like the ccpa, in the UK, and like other legislation that's coming out, now, it's a lot, a lot of it isn't black and white, it's a lot, a lot of it is, you know, take into account what the individual expects you to do with their data, what what's what's fair and transparent, and these, these concepts that you need to actually as a legal adviser, as a privacy, professional take and translate into a specific situation. So for example, I had someone, I had someone come to me, you know, the other day and say, you know, can I do? What does the law say? Can I do x? Yes or no? And that's all they want to know. Well, guess what? The law doesn't say, yes, you can do this. No, you can't do that. Right. And so that's where this understanding of trying to get people to the outcome that they want to get to and trying to get them the answer and allow them to move forward. That's where this kind of mindset is extremely powerful, and I think is the correct way. And, you know, and the appropriate way to give to give legal advice. That's really the only way. I

Darshan

the way I frame the answer that question. I've been asked that. And it's gonna echo exactly what you just said, which is I personally tried to go from Can I do X, Y, Z to how do i do X, Y, or Z? And that decision makes helps me at least rethink the question. But thank you, because that's a question that when I've been General Counsel, I've seen that issue pop up enough times where you're going, this is all great information. But how does this this impact what I do on a day to day basis? So let me ask you a different version of the question. You talked about how you have a really strong corporate and commercial background, and that's impacting your knowledge and your experience as a privacy attorney. My question to you is, when you talk about companies of varying sizes, whether you're talking about a small emerging biotech, you're talking about a global well The small emerging biotech of say, initially funded three or $5 million, or a medium sized, generic company save anywhere from 150 to $200 million in revenue to a large pharma company, which is multi billion dollars in revenue. How do you advise them differently when you're talking about the types of privacy considerations they should have? And I'll tell you why I'm asking this question. When I advise them, what I worry about is, can you handle it? But the rules don't change necessarily. So how do you play that out?

Avishai

Yeah, it's Listen, it's a conversation. I mean, you really kind of hit the nail on the head with that one, because it's a conversation that I have on a daily basis, as you know, and your listeners may know, Israel has been dubbed the startup nation, right. I think we have more startups, we have the most startups per capita in the world, if not just second to Silicon Valley. But yeah, a ton of startups. And what that means is that, you know, startups, obviously, one of the things they care about the most, when they're building their products, is that their product is compliance with the, you know, the technological, whatever laws applied to that technology, which most often is privacy legislation. And, as you rightly said, the, you know, the privacy laws don't distinguish between, or at least I should say, the European privacy laws, because ccpa, for example, does have certain thresholds, which, you know, which then apply certain responsibilities and liability, but at least in GDPR, the minute you're collecting information, any type of personal information, and personal information is a very, very broad definition, right? So the minute you're collecting any type of personal information, the law applies to you from A to well, you said the, because I'm an English lawyer, I'm going to say that from A to Zed, right, all the way all the way through, my parents will have to forgive me for that one.

But so they apply completely. And it's true. And and it's, it's, it's a it's a big pain point for companies, because often this stuff can be very expensive to implement, and, and a real pain when you're trying to build a small company. And so the way that I, the way that I approach it with my clients is, you know, I use I use one word, risk. Okay, what is, what is the biggest risk for your company? So when you're talking about companies in the life sciences, people who are help collecting health information, so let's say you have a startup that, you know, that starting to the developing a product that is, you know, in the health tech, sphere, right, they're there, they're developing a software product in the health tech sphere. So the so in the beginning, the questions that I would ask them, for example, are okay, so you haven't gone to market yet? Right? So you're not collecting the information yet. So the risk isn't there at the beginning. But let's look at, you know, when you do go to market, what information will you be collecting? And how can you design your product from day one, to be compliant with, you know, when, when you launch the product, and when you do it, and that's the concept that we call it, you know, in the privacy lingo, we call it privacy by design, right, you're designing your product, in order to be privacy compliant from day one. And so, you know, I often had go through those exercises with with companies. And then if you're talking about a mid cap company, a midsize company, like you said, oftentimes, it will be about putting in place the processes and procedures. So they've come out of this small startup phase, where every everyone was running around doing everything, right, the CEO was on the line doing sales, and was also the, you know, the, you know, doing the, the marketing, you know, they were doing everyone was doing everything, and there were no processes and it was just like, we need to we need to survive, right. So you move out of that mode, and then you become a, you know, a viable company, you may have gotten an investment from a serious investor and people are starting to say, Okay, what have you put in place in terms of processes and procedures to make sure that you guys will be, you know, continue on the journey in a compliant manner. So then you start looking at things like internal privacy policies, and process is to evaluate new technologies or new features to your technology, or, you know, if it's a company that's going to a clinical trial, you might have some work around doing something like that. But then it really becomes about laying the foundations for that, you know, to build a building anytime, obviously, lay the foundation. And then I also have, you know, very, very, very large clients. And the challenge there from a privacy perspective is very interesting, in the sense that, then it becomes an issue of making sure that everyone knows what the other person is doing. So you have the small startup where everyone's doing everything, and then you have the large, you know, enterprise corporate that with, you know, 1000s of employees. And you could have a department that's just completely oblivious to the fact that you've put in place this new policy, and they're just kind of off doing their own thing. And because they're so big, they're, you know, they're not necessarily talking to each other. So then it becomes another challenge of kind of training, monitoring, making sure that, you know, the, the different parts of the organization speak to each other. So, you know, as you said, the different sizes of corporate kind of have posed different risks or different challenges from a privacy perspective, and need to be treated a little bit differently. But in the end, it's all about getting to that cohesion, and making sure that everyone's kind of following what what you set from the top.

Darshan

Now, I think that that's a really interesting point where you talk about the different companies. One of the things I've, whenever I'm advising clients I often struggle with, from that initial risk perspective that you mentioned, especially when you're in the startup phase, is often my number advising companies that are going to have some version of a bolt on product, going onto someone else's system. If that's true, those individuals are then looking at, you know, what, I'm not going to be okay, connecting to this other company system, because they're much larger company, they already have policies in place, and they're going to want to audit us. So when you're, when you're advising companies like that, where you know, funding is already a major issue, how do you advise them on? Here's how we can bolt on and yet still manage and control your costs? Do you still look at it from a risk perspective? Or do you say, these are non negotiables?

Avishai

Yeah, I mean, I think I think that inevitably, when you're dealing, when you have this kind of David and Goliath kind of situation, yeah, you're gonna have to, you're gonna have to have a sensible approach to your privacy program, right? So you're gonna say, okay, you know, this is what we expect to be doing. But then you may get a, you know, a large corporate, that, that you come and you're selling to, and they're saying, guys, listen, if you want to do business with us, this is the way we do business. So it's really nice that you have the policies in place, but you know, you're just gonna have to adhere to this, take it or leave it. And and I think the the risk approach here is, is also applicable, because, and it becomes less about kind of risk of just how we operate in a vacuum to the risk of how do we make sure that we're kind of we're covered from a, you know, in terms of the in terms of the risk, the allocation of the risk between the two parties, right, so the big corporate is going to have a certain amount of risk. And they're going to want to impose their policies onto you. And the corporate then needs the company that you're that you're representing, would need to say, okay, we wouldn't normally do things in this way. But we think that the risk of agreeing to 123 and four, maybe we can live with five, oh, wait on five, we may be able to accept this that we may need to increase our insurance premiums, for example, because that's an that's a an exposure there that may, you know, we may be able to cover with insurance on six, we may need to contract with a third party to make sure that we're, you know, we're detaching some of the risks that we have and adding it on to a third party. So it's it becomes about Making, you know, commercial lawyers are good commercial lawyers, I should say know that they need to be deal enablers rather than deal breakers, right? They need to say, okay, we're and this goes back to what we were talking about before about getting to the, you know, getting to where the client needs to be. So it's not about saying, you know, looking at this long list of demands and saying, Oh, no, there's no way we can do this. Forget about it. We're not doing the deal with Amazon or Google or, you know, whatever. That's, that's not going to happen. It's about Okay, let's see how we can do this, while minimizing the risk that we have internally.

Darshan

Great, thank you. Now, here's, here's an interesting question, because one of the things I saw in your background that really spoke to me, and it's being echoed in exactly the conversation I'm having with me, is you you and him in the conversation we've had a little bit earlier. You talk about how Israel is a startup nation, you talk about how you advise startups. But one of the things on your profile talks about you being a startup mentor, what does that mean to you? And what is that impact? What is the what has been the impact of that?

Avishai

Yeah, so I year, I think or two ago, I joined I was asked by a friend of mine who's a, she's a partner and a VC. I, she said to me, You know, I mentor I had, there's an accelerator called TechStars. And what they do is, every year, they have a cohort of about 10 startups in Tel Aviv. And they, you basically volunteer your time to come and mentor these startups, and they have people from all different backgrounds, so they have VCs and people, marketing people, sales people, business developments, and, you know, I came and said, Hey, would it be, you know, helpful for you guys to have someone who understands privacy, for companies that are building these small products, and these, these, these new products, and, you know, I went to my first cohort, and, you know, we I met with all the startups and gave them advice. And I have to tell you, it was one of the most rewarding experiences of my career, to be able to see these, like little fledgling startups come and develop. Some of them, by the way, since has secured very, very impressive financing rounds. And, and I stayed in touch actually, with a number of them. And it's really, really amazing for me, to be part of the Israeli tech ecosystem, I feel like I kind of did a little bit, you know, gave a little bit back to, to this to this ecosystem. And it was extremely rewarding to be able to apply the skills that I've learned and developed over, you know, over the years, and, and help these these companies, you know, we talked before about startups being strapped for cash and not necessarily having the means to be able to afford legal advice, or, you know, mentoring during the, these critical times in their development. And so being able to be a part of that was absolutely amazing. And I consider it to be one of my, you know, one of my, my, you know, my, it's extremely rewarding for me to be able to do that and kind of give back in that way.

Darshan

So that was great. I'm sorry, I have to admit that we keep a tight time on this. And the conversation today has been about a lot of experiences around startups, we've talked as you know, about your experiences in guiding small startups, a bunch of experiences, mentoring them, talking about how you help them manage risk. What I'd love to do is maybe have you over again, and we can talk about larger companies. I'd love to talk about your experiences with data transfer agreements, I'd love to talk about the impact and implication on companies that

Avishai

are

Darshan

for example, in the UK, and what is the impact of Brexit? I'd like to talk about Israel and its unique privacy laws and what is the case study associated with that? would you would you be open to coming back?

Avishai

Absolutely. I mean, to be honest with you there so I think all the stuff that you listed you may need like a day and a half to cover All of those topics but listen, if we didn't, yeah, no, it would be absolutely My pleasure. I love having these chats. And, you know, I hope that your, your audience enjoys them as well. I would I would very much love to be invited back. Be a pleasure.

Darshan

Perfect. Thank you again. I'm sorry. Let's remind everyone, where can they find you again?

Avishai

Yeah. So, so look me up on LinkedIn. I'm active there. I'm Feel free to drop me a message, connect, engage. I'm extremely responsive. I never let a message go unanswered. So you'll definitely hear back from me if you if you contact me. They're

Darshan

very cool. And thank you again for coming up. My name is Darshan Kulkarni, and this is Darshan talks. Stay tuned for the next next stream cast. We're going to do next podcast we're going to do

Avishai

thank you there, sir.

More from this show

Newsletter

Make sure to subscribe to our newsletter and be the first to know the news.