Input Information

If you draw a fence around your MVP, what information goes into it and for what purposes? For example, to sign up a new medical staff to your patient journal system, your MVP will likely need their first name, last name and email address, so as to keep an audit log of all patient journal accesses.

As another example, a nurse working for a school needs to enter a child’s weight and height as part of a yearly checkout.

Output Information

Thinking again about the fence, what information goes out of your MVP and for what purpose? For example, your MVP might report the number of daily active users for the purpose of monitoring application health or billing.

Model Information

With the advent of Generative AI, applications increasingly use some kind of model. As the saying goes “AI is the new web application and Kubernetes is the new web server”. You need to understand:

• Where does the training data come from?
• How has his model been trained on the training data?
• Are there any particular pre- or post-treatment steps?

5. Know the rules

Now that you have mapped out your information flows, it’s time to think about regulatory requirements. Regulations broadly deal with two concerns:

• Privacy, i.e., making sure that you collect only as much information as you need, that you remove it after it’s no longer needed and that you don’t use it for purposes other than agreed to by the person concerned. GDPR is the main regulation in this area, but note that it is incorporated by reference into MDR.
• Security, i.e., making sure that the collected information does not get in the hands of bad people (confidentiality), doesn’t get changed in unintended ways (integrity) and is available when needed (availability). GDPR Art. 32 has some provisions related to security, but the most security-focused regulation is NIS2.

That probably doesn’t help, so let us map out some regulations with examples.

In the example above, first name and last name are personal data and fall under GDPR.

If you operate in Sweden, then information about the health of a person falls under Swedish Patient Data Laws, i.e., HSLF-FS 2016:40.

Even if your MVP is not “physical”, it might will fall under Medical Devices Regulations (MDR) if – I’m grossly simplifying here:

• Output information can lead to misdiagnosis (MDR Class I);
• Output information can lead to temporary injury (MDR Class IIa);
• Output information can lead to permanent injury (MDR Class IIb);
• Output information can lead to death (MDR Class III).

Finally, if security issues with the information processed by your MVP may lead to the disruption of services critical to society, then you might fall under NIS2.

Make sure to take the time, study these regulations carefully and assess what non-functional features your MVP needs in order to comply with these regulations. Depending on the regulation, you may deduce such non-functional requirements in two ways:

• The regulations list explicit requirements. For example, MDR is rather prescriptive about change management, and has definitions for major, minor and patch versions.
• The regulations require you to go through a risk catalog, identify risks that apply to your product and take measures to reduce the likelihood or impact of those risks. For example, the NIS1-era MSBFS 2018:8 requires you to do risk management.

6. Build the solution

This step corresponds to the “build” phase in the “build-measure-learn” loop.

Now that you identified all functional and non-functional requirements that your MVP needs to fulfill, you are ready to start developing. Noteworthy is that regulations can add quite a few non-functional requirements, so your MVP probably ended up becoming a “not-so-Minimal” Viable Product (nsMVP 😁) after the regulatory analysis above.

At this stage, it is important to avoid reinventing the wheel and focusing on technical development only on your “magic sauce”, i.e., that piece of code which truly makes you stand out from the competition. For example, you might need to make sure that your application runs in the right jurisdiction. However, that is just a “hygiene factor” and not something that will motivate your customers to try out your MVP. Similarly, you might need to think about redundancy and information backups early on. But again, those are just qualifying checkboxes and not differentiating.

To reduce development cost for non-differentiating requirements, it is paramount to leverage open source and cloud native projects, such as Kubernetes. However, be mindful that these might not fulfill your regulatory requirements out of the box.

Therefore, it is really important to select the right platform. Loosely speaking, a platform is a set of open-source and cloud native tools carefully integrated together, so as to accelerate your development team. Some platforms, such as Compliant Kubernetes, are specifically designed to comply with EU regulations and can tremendously reduce your compliance burden allowing you to put more effort into your functional requirements.

7. Measure and learn

This step roughly corresponds to the “measure” and “learn” steps in lean thinking. What have you learned from the previous steps? Do you need to redo any of the previous steps to improve your MVP?

Conclusion: Innovate Smart, Innovate Secure

In today’s world, it's not enough to just have a great idea; you need to make sure it’s safe and complies with all the rules. The 7-step process helps you do just that, blending creativity with compliance.

By following these steps, you can turn your innovative ideas into reality while staying within the bounds of regulations. This process ensures your products are both cutting-edge and trustable. So, keep innovating smartly and securely. With this approach, you’ll be able to lead with confidence, knowing your solutions are both groundbreaking and compliant. This isn’t just a way to innovate—it’s the best way to succeed.

And remember, don’t reinvent the wheel. Contact Elastisys today to streamline your innovation process and ensure compliance.