Take control of your sensitive data environments.

KDPO supports pharmaceutical companies, health startups, medical device and AI editors, and health, prevention & life insurers to structure, prove, secure and design their sensitive data environments — with priority on health data.

Request a diagnostic Discover the approach
Regulatory framework
  • RGPD Art. 9
  • HDS
  • IA Act
  • MDR
  • Insurance Code

Restore order, proof and security

KDPO intervenes when data flows already exist, when obligations strengthen, when responsibilities cross. Four verbs, four moments of intervention.

01

Clarify

unclear → visible

Frame · Qualify

02

Take control

fragmented → governed

Govern · Document & prove

03

Secure

at risk → resilient

Protect

04

Design

reactive → designed with trust

Conceive · Activate

A legible transformation

Before After Description
Unclear Visible Knowing what is processed, where, with whom and why
Fragmented Governed Governance, roles, ongoing steering
At risk Resilient Data protected, incident response prepared
Reactive Designed with trust Trust embedded from the origin

Four priority environments

Eligibility criterion: the nature of the data, not the sector. Sensitive data, with priority on health data.

Pharmaceutical companies

Patient programmes, clinical trials, pharmacovigilance, data/AI partnerships, digital solutions.

Health startups

Patient apps, telemedicine, digital health platforms, connected devices.

Medical devices / AI

SaMD, AI health solutions, CE marking, training datasets, algorithmic traceability.

Health, prevention & life insurers

Medical questionnaires, risk selection, health scoring, prevention, sick leave, claims, life underwriting with medical component.

When KDPO becomes useful

01

Clarify

Flows, responsibilities and priorities lack legibility.

02

Take control

Governance, documentation and arbitration need structuring.

03

Secure

Resilience must be strengthened, an incident prepared, exposure reduced.

04

Design

A product, an AI component or a high-risk device must embed trust from the start.

Sensitive data environments become more complex, more exposed, more monitored

Organisations must be able to demonstrate their control before an audit, a partnership, a fundraising, a product launch or a sensitive decision.

Multiplied flows

The number of sensitive data flows grows with every partnership, platform, integration or product.

Documentary requirements

CNIL and EDPB now expect documented, dated, enforceable evidence — not principles.

Partner demands

Pharma sponsors, insurers and investors require an RGPD posture before signing.

AI Act and traceability

Algorithmic systems must justify their datasets, training basis and oversight loop.

MDR and HDS

Medical software and health hosting carry their own evidence chain to maintain.

Proof beats principle

Auditability, governance and traceability decide outcomes — declarations alone do not.

Scoping diagnostic

The recommended entry point. In 2 to 4 weeks, KDPO produces an actionable picture of the sensitive data environment: scope, risks, priorities, trajectory.

The diagnostic is not a theoretical exercise. It is a decision tool.

The deliverables are tangible, enforceable and mobilisable in an audit, a partnership, a due diligence or a sensitive decision.

Request a diagnostic
Duration
2 to 4 weeks
Deliverables
  • Scoping note
  • Initial mapping of treatments
  • Risk matrix
  • Documented arbitrations
  • Prioritised action plan
  • Remediation trajectory
Method
Targeted interviews, document review, flow analysis, risk qualification
Client effort
Limited and framed

A progressive intervention trajectory

Three progressive intervention phases. The diagnostic produces the reading. The control work produces the dispositif. The continuous steering maintains its governance.

  1. Scoping diagnostic

    See the system

    Map the flows, identify risks, grey zones, missing documents and priority arbitrations.

  2. Taking control

    Document, arbitrate, secure

    Document, prioritise, secure, structure governance and produce the required evidence.

  3. Continuous steering

    Sustain governance

    Maintain governance, follow regulatory shifts, prepare audits, partners and sensitive decisions.

Four concrete situations

01

Pharmaceutical company

Trigger
Launch of a patient programme. Multiple external partners. No documented RGPD framework.
KDPO action
Scoping diagnostic. Mapping of treatments. Prioritised DPIA. Trajectory over 6 months.
Outcome
Sensitive data governance documented and enforceable. Partner contracts realigned.
02

Health startup

Trigger
Investor due diligence on RGPD posture. No record of treatments. No DPIA.
KDPO action
Scoping diagnostic. Minimum enforceable baseline: record, prioritised DPIA, HDS host DPA.
Outcome
Demonstrable compliance before fundraising. Architecture designed to last.
03

Medical device / AI editor

Trigger
CE marking preparation. AI Act qualification pending. Training dataset to constitute.
KDPO action
Scoping diagnostic. RGPD × MDR × AI Act articulation. Lawful basis for training data.
Outcome
Integrated regulatory dossier. Lawful and documented training base. Defensible lifecycle.
04

Health, prevention & life insurer

Trigger
CNIL audit preparation. Health scoring algorithm to defend. Reinsurer partnership.
KDPO action
Scoping diagnostic. Mapping of sensitive data treatments across the chain. Roles clarified.
Outcome
Demonstrable compliance facing a CNIL audit. Underwriting algorithms documented.

What KDPO produces

Demonstrable compliance

System documented, enforceable, auditable.

Trust

Credible framework for regulators, patients, partners.

Resilience

Incident response capacity, continuity maintained.

Innovation capacity

Controlled framework enabling robust innovation.

Get in touch

For a scoping diagnostic or a question on your exposure to sensitive data regulation.

contact@kdpo.fr
KDPO Consulting
42 cours Pierre Vasseur
91120 Palaiseau