5 keys on privacy, AI, and biotech with Karen Sanchez
Karen Sanchez is a prominent voice at the intersection of law, technology, and health. With expertise in privacy, AI, and regulation for biotech companies, her approach combines legal rigor with practical thinking. In this conversation, we explore how new regulations are reshaping the biotech sector, a field that is both critical and often invisible.
1. The greatest legal risk in biotech data management
Karen identifies the exposure of genetic and health data as the primary concern. “A security breach implies not only economic sanctions, but also profound damage to patient, user, and investor trust,” she explains.
Unlike other types of personal data, genetic data is immutable. You cannot change your DNA the way you change a password. A leak of this kind has permanent consequences for those affected, which exponentially increases the impact of any incident.
2. Real integration of regulatory compliance
While many startups understand regulations, few truly integrate them into their strategy. Most treat compliance as reactive rather than proactive, viewing it as something to address only when problems arise.
Karen insists that biotech companies need to shift this mindset: compliance is not an obstacle to innovation but an enabler. Companies that integrate privacy and security from the design phase of their products have a clear competitive advantage over those that treat it as an afterthought.
3. Privacy by design: accessible for SMEs
The expert confirms this approach is realistic when proportionally adapted. Rather than requiring excessive spending, companies should implement fundamental principles from the start: data minimization, access controls, and pseudonymization, with legal guidance during design phases.
Initial steps include mapping data flows, establishing reliable electronic consent tools, developing breach response protocols, and consulting guidance from organizations like Spain’s AEPD or the European EDPB.
4. The impact of NIS2 and DORA on the biotech sector
These regulations will inevitably affect biotech companies, expanding the definition of critical sectors. Most biotech firms remain unaware that they will fall within this regulatory scope.
Karen recommends that companies adopt standards like ISO 27001 and develop digital continuity plans now, before regulatory pressure intensifies. “Companies that prepare early not only avoid penalties but also position themselves better with investors and partners,” she notes.
5. AI governance in healthcare
The legal framework for healthcare AI remains immature. The AI Regulation represents progress, but most biotech companies lack internal algorithmic governance structures. Karen stresses: “Many firms deploy models they did not create and do not realize they bear legal responsibility for them.”
Successful integration requires scalability and automation, with compliance functioning as an enabler rather than a blocker. Legal, technical, and business teams must collaborate from the inception of each project.
The role of cyber insurance
While cyber insurance offers financial coverage and rapid response services, it must complement, not replace, solid legal strategies for data protection and AI compliance.
The collaboration between legal and technology
This partnership is essential. Successful projects emerge when legal professionals work alongside scientists and engineers from the beginning, rather than acting as external consultants at the end of the process.
Looking ahead
Karen anticipates more flexible regulation, particularly for emerging technologies like genetic editing. She envisions greater institutional support for innovative SMEs through legal sandboxes, proactive advisory services, and regulatory mentoring.
Most importantly, she advocates for a mindset shift: recognizing legal support as a strategic investment rather than an expense.
The modern lawyer’s role
Legal professionals must transition from regulatory interpreters to innovation architects, actively designing strategies and collaborating with technical teams as integral project participants.
Karen concludes that “at the intersection of science, data, and technology, innovation alone is not enough. Protection must enable transformation” for biotech to achieve ethical, secure, and genuinely human advancement.