GDPR (EU) 2016/679: the application of Data Protection for manufacturers in the medical device industry

The General Data Protection Regulation (EU) 2016/679 is ratified and will take effect in May 2018. I expect this new European law will have a big impact on how European citizens and organizations will deal with privacy. But is your organization ready to avoid heavy fines and loss of reputation resulting from non-compliance to the GDPR?

The clock is ticking, with some 3 months left to do the job!

In a recent blog, the three domains in which manufacturers of medical devices that process personal data must perform risk management activities was discussed. Recap, manufacturers must now act in the following domains:
- Safety;
- Security;
- Privacy.

In a successive blog, a practical approach on integration of safety and cyber security risk management was suggested; a technical report was introduced that could well serve as a tool to integrate security capabilities into the design of medical devices.
This third blog will go into management of the data protection management in your design, as required by the GDPR. As said, the Medical Device Regulation (MDR (EU) 2017/745) and the GDPR are applicable for manufacturers that put medical devices on the market that process personal data. (Read my previous blog)
The GDPR is a privacy law that 1) protects fundamental rights and freedoms of natural persons aka the ‘non-negotiable privacy rights the law lays down relating to the processing of personal data; and 2) management of (a natural person’s) privacy risks, which determines the appropriate measures, including security measures, to protect personal data. GDPR data protection management is executed along these two pillars. In fact, we are talking about the ‘what’ of a Data Protection Impact Assessment (DPIA) here.

Who needs to perform a DPIA?

Before answering this question, I need to introduce a few definitions copied from the GDPR:

- ‘processing’: any operation on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- ‘controller’: the party that determines the purposes and means of the processing of personal data.
- ‘processor’: the party which processes personal data on behalf of the controller.

Typically, manufacturers of medical devices are processors. The care providers, typically hospitals and clinics, determine the means and purpose of the processing. They are the controllers.

That would mean that in this example, the manufacturer would not have the perform the DPIA. Alas, the GDPR is very clear on the requirement that controller and processor need to cooperate. Which make sense, because the manufacturer or producer of the device knows which and how personal data is processed. In the above example, the manufacturer (processor) executes the DPIA and shares this information with the care provider (controller). On the other hand, is the manufacturer just a manufacturer? Or does he hold personal data? Is the manufacturer also responsible for providing cloud services in case of internet-connected devices? Does he repair and maintain medical devices and possibly has access to health information? Does this manufacturer monitor the performance of medical devices by means of telemetry and is this information still sensitive (the whereabouts for instance of the device and thus the user/patient of the implanted or wearable device)? Will the manufacturer execute tests on real persons?

What is a DPIA?

The requirements for the privacy risk assessment are outlined in article 35 of the GDPR. A DPIA report should at least include, the following information:
a) a systematic description of processing operations and the purposes of the processing.

b) an assessment of the necessity and proportionality of the processing;
To this end, the GDPR applies several legal controls, such as data minimization, retention and the rights of a person (for instance: to be informed or to access, and rectify the data). 

c) an impact assessment to the rights and freedoms.
Included in the DPIA should be an impact study. Basically, this is the sort of scaled risk assessment method that we know from safety and (cyber) security. What is identified in the study is the impact on a person if his/her personal data is stolen, corrupted, deleted, misused or manipulated. The impact could be for instance fraud, identity theft, personal distress because of stolen data, damage to an unknowing user’s reputation and exposure of private information to the public. Even worse: it could be sabotage of a device with death as a possible result.

d) An analysis of (a natural person’s) privacy risks.
It is determined what the appropriate measures, including security measures, to protect personal data, are

Is Risk Management the full story

Certainly not. Managing the convergence of safety, (cyber)security and privacy risks are needed by integration of the risk management processes in your Quality Management System (QMS). On top of that, also other processes in your existing QMS, reflection on the GDPR requirements, such as new roles, task, and responsibilities, should be updated.
In upcoming blogs, we will go deeper into GDPR related subject:
- Quality management processes related to GDPR compliance and cyber security;
- Contract requirements of the GDPR, such as data processing agreements and data subject's consent.

If you require support or resources do not hesitate to contact Qserve’s team of experts.



Want to know more about GDPR?

Sign up here for our webinar on What is the impact of the GDPR on Medical Devices industry.

Keep an eye on our events calendar for all our trainings



Jaap Noordmans
Post date: March 05, 2018
How can we help you? Contact us