The rapid rise of health tracking apps has brought new convenience to users, as well asgrowing risks to personal data. These platforms often collect and process highly sensitive information about physical and mental health, raising urgent concerns for data protection officers (DPOs) worldwide. 

According to Statista, the digital health market, which includes healthtech apps, had over 1.3 billion users worldwide in 2024, with the Digital Fitness & Well-Being segment alone expected to reach 2.1 billion users by 2029. While users knowingly sign up for the ability to track their health, there is an increased need for strong data governance to ensure personal and sensitive data remains protected. 

Managing third-party integrations and cross-border transfers 

Health apps rarely operate in isolation. Many integrate with third-party platforms like cloud services, analytics providers, wearables, and even social media. While these integrations improve user experience, they also create complex data-sharing networks that are difficult to monitor and control. 

Users may unknowingly consent to broad data sharing with external entities that have different privacy policies or security practices. Some integrations involve pseudonymised or aggregated data, but even this can be re-identified using advanced techniques. 

When apps operate across borders, risks increase further. For example, China’s Personal Information Protection Law (PIPL) requires that companies storing large volumes of personal data keep it within China. Any attempt to transfer data out of the country requires a security assessment. These strict conditions are not unique to China; many jurisdictions have introduced robust controls on international data flows. 

Here, a DPO’s role is crucial. They must review third-party data processing agreements, define roles and liabilities under frameworks like GDPR Articles 26 and 28, and ensure compliance with local laws such asBrazil’s LGPD or China’s PIPL. In cross-border contexts, DPOs are also responsible for validating transfer mechanisms, such as Standard Contractual Clauses or adequacy decisions, and ensuring all safeguards are in place. 

Building strong safeguards for special category data 

Despite public concern over health data privacy, consumer demand for accessible and affordable health tech is rising. This trend means organisations are collecting more sensitive personal data than ever. 

Under GDPR, health data is considered “special category data” and requires extra protection. The California Consumer Privacy Act (CCPA) also mandates clear opt-out mechanisms for the use of sensitive data. DPOs must ensure that their organisations implement explicit consent processes, data minimisation, and robust agreements with data processors. 

Regular Data Protection Impact Assessments (DPIAs) help identify and mitigate risks, while aligning with global laws such as HIPAA in the US or Canada’s Consumer Privacy Protection Act. A proactive DPO ensures safeguards are not only in place but consistently maintained. 

Responding to data breaches effectively 

For health tracking apps, a strong breach response strategy is non-negotiable. DPOs are increasingly integral to the cross-functionalteams that include IT and security to quickly detect, contain, and assessthe severity of incidents. Regulatory requirements such as the GDPR’s 72-hour breach notification rule demand swift and accurate reporting, for which working closely together will ensure timely reporting if necessary. 

By leading response efforts, DPOs help minimise legal exposure, protect data subjects, and support organisational resilience during a crisis. 

At HewardMills, our global team of Data Protection Officers works closely with organisations in the health tech sectors to ensure compliance and build privacy into every layer of the business. Whether reviewing current safeguard strategies or advising on cross-border data transfers, we provide tailored, practical guidance to help you stay ahead of evolving regulations.