Scaling patient data compliance from startup speed to regulatory maturity
“As a health-tech company, every feature we ship touches patient data. We needed a compliance system that could keep pace with our two-week sprint cycles, not one that required a six-month implementation project.”
— DPO, French Health-Tech Scale-Up
The company had grown from 50 to 300 employees in three years, building a patient data analytics platform used by hospitals and clinics across France, Belgium, and the Netherlands. Their product processed health data — a special category under GDPR Article 9 — at significant scale: over 2 million patient records across 45 healthcare provider clients.
France's Hébergeur de Données de Santé (HDS) certification requirement added a national layer on top of GDPR, mandating specific technical and organisational measures for any entity hosting health data on behalf of healthcare providers. Meanwhile, the company's classification as a digital infrastructure provider under NIS2 introduced cybersecurity requirements that their small but capable security team had not previously been resourced to address.
The compliance team consisted of one DPO, one privacy engineer, and one security analyst — a ratio that was unsustainable given the volume of DPIAs, DSAR responses, breach assessments, and vendor due diligence flowing through the organisation. They needed automation, not additional headcount.
GDPR Article 9 at scale
Processing health data (special category) for 2 million+ patient records across three countries, requiring lawful basis documentation, DPIAs, and cross-border transfer assessments for each data flow.
DSAR volume
Patient data subject access requests routing through 45 healthcare provider clients, with no automated workflow for identity verification, data retrieval, or response tracking.
Lean compliance team
One DPO, one privacy engineer, one security analyst — insufficient for the compliance burden of GDPR, NIS2, and HDS across three jurisdictions and 45 clients.
Sprint-speed compliance
Two-week development sprints shipping features that frequently involved new data processing activities, requiring DPIAs and privacy reviews faster than traditional compliance processes could support.
FortisEU was integrated into the company's development workflow as the compliance layer that moved at sprint speed. The DPO used FortisEU's DPIA module to conduct privacy impact assessments as part of the product backlog refinement process — flagging new processing activities before code was written, not after deployment.
For DSAR management, FortisEU's workflow engine automated the end-to-end process: identity verification, data retrieval across distributed systems, response assembly, and deadline tracking — reducing the average DSAR response time from 23 days to 6 days. The NIS2 module ran alongside the GDPR programme, mapping technical security controls to both Article 32 (GDPR security of processing) and Article 21 (NIS2 cybersecurity measures).
Sprint-Integrated DPIAs
DPIA workflow embedded in product backlog refinement. Privacy reviews triggered by data flow changes, completed within sprint cycles, and automatically linked to processing records.
Automated DSAR Workflows
End-to-end data subject access request management: identity verification, cross-system data retrieval, response assembly, redaction tools, and Article 12 deadline tracking.
Health Data Mapping
Comprehensive Article 30 processing records with special category tagging, lawful basis documentation per processing activity, and automated cross-border transfer assessments.
Dual-Framework Security
Unified control mapping between GDPR Article 32, NIS2 Article 21, and HDS technical requirements — single evidence collection for three overlapping security obligations.
The three-person compliance team was able to manage a compliance programme that previously would have required six to eight full-time staff. The DPO specifically credited the sprint-integrated DPIA process as the single most impactful change — it shifted privacy from a blocker to a built-in quality attribute.
The automated DSAR workflow transformed what had been the team's biggest time sink into a semi-automated process. The average response time dropped from 23 days to 6 days — well within GDPR's one-month limit and significantly better than the healthcare sector average.
“Privacy by design used to be a slogan we put in our DPIA reports. Now it is actually how we work — the DPIA happens before the code is written, not after the feature ships. That is the difference between compliance theatre and real data protection.”— Data Protection Officer, French Health-Tech Scale-Up
Four frameworks, one platform: eliminating compliance duplication at enterprise scale
A Dutch Insurance Group — Insurance & Financial Services
EU sovereignty as competitive advantage: winning US enterprise deals with compliance-first positioning
A Belgian B2B SaaS Company — Enterprise Software
Ready to Build Your Compliance Story?
See how FortisEU can operationalise your compliance programme. Create an account or schedule a personalised demo.