The General Data Protection Regulation (GDPR) sets out strict guidelines for how companies must handle personal data. This includes data generated by medical devices and software. If your company develops medtech or software as a medical device (SaMD) that you plan to market in the European Union, it is vital you understand the principles of GDPR and what considerations go into meeting these requirements.
In this article, we look at what GDPR is and which companies must comply with these regulations. Then, we break down the key principles of this data protection directive and discuss measures your company must take in order to ensure compliance. Finally, we discuss why GDPR is vital to the medtech and SaMD development life cycle and how you can achieve compliance from day one.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a regulation that came into effect in the EU in May 2018. This directive sets out rules for how personal data must be processed and protected. The GDPR applies to all organizations that process personal data of individuals in the EU, regardless of where the organization is located.
The GDPR replaced the European Data Protection Directive, which came into effect in 1995. These new regulations were designed to give individuals more control over their personal data and to harmonize data protection laws across the EU while taking into account advancements in technology and data collection. The GDPR sets out specific requirements for how personal data must be collected, stored, processed, and deleted, as well as requirements for transparency, data subject rights, and security.
Who Must Comply with GDPR?
Any organization that processes personal data of individuals located in the EU must comply with the GDPR. This is true regardless of where the organization itself is located.
This means that any organization that offers goods or services to individuals in the EU, or monitors the behavior of individuals in the EU, must comply with GDPR. The regulation applies to organizations of all sizes, from small businesses to large multinational corporations. Any medical technology company or medical software company looking to market its product in the EU must comply with the regulations of this directive.
It is worth noting that, while the United Kingdom is no longer part of the EU, the country has incorporated the same principles into its UK GDPR provision.
Key Principles of GDPR
In order to develop medical devices and software in line with the GDPR, you must first understand the basic principles of the regulation. Specifically, those that apply to the type of data processed by Medtech and SaMD products.
Data Protection by Design and Default
This principle of the GDPR requires organizations to consider data protection and privacy issues when designing and developing products, services, and systems that process personal data. This principle is particularly relevant for organizations that develop MedTech and medical software, as these devices and applications process sensitive personal data, including health information, which requires a high level of data protection and privacy.
Data protection requires organizations to consider privacy and protection issues at every stage of the product development lifecycle, from the initial design and development phase to the deployment and maintenance of the device or software. This involves implementing appropriate technical and organizational measures to ensure that personal data is protected from day one, as well as ensuring that the default settings of the device or SaMD prioritize data protection and privacy.
Access controls, data encryption, and minimizing the amount of data that is processed in accordance with intended use parameters are all important steps in ensuring data protection compliance.
Lawful Basis for Data Processing
Organizations processing personal data must have a lawful basis for doing so. The GDPR outlines six lawful bases for processing personal data:
- Consent – The individual has given clear consent for their personal data to be processed for a specific purpose. This basis is commonly employed by mobile medical applications (MMA) to gain lawful consent.
- Contract – The processing of personal data is necessary for the performance of a contract to which the individual is a party or for steps taken at the request of the individual prior to entering into a contract.
- Legal obligation – The processing of personal data is necessary to comply with a legal obligation to which the organization is subject. This basis can be relied on when devices use personal data in order to comply with healthcare regulations.
- Vital interests – The processing of personal data is necessary to protect the vital interests of the individual or another person. This basis comes into play if a device or software is used to protect the health of a patient.
- Public interest – The processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the organization.
- Legitimate interests – The processing of personal data is necessary for the legitimate interests pursued by the organization or by a third party. This basis is least likely to be used in MedTech and SaMD, with the exception of research meant to improve patient outcomes. But even here, it is important for organizations to ensure that their legitimate interests do not override the fundamental rights and freedoms of the individual.
Organizations developing MedTech and medical software must carefully consider the lawful basis for processing personal data, and ensure that they have a valid legal basis for doing so.
This key principle of GDPR requires organizations to collect, process, and store only personal data that is necessary for the specific purpose for which it is being processed.
Data minimization requires MedTech organizations to consider the intended purpose of their device or software and limit the collection and processing of data to only what is necessary to fulfill this purpose. This may involve implementing technical measures, such as pseudonymization or anonymization, to minimize the amount of personal data that is collected.
Organizations must also consider the duration for which personal data is retained and ensure that it’s not stored for longer than necessary. This involves implementing appropriate retention policies and securely deleting or anonymizing data once it is no longer required.
Data Subject Rights
GDPR grants data subjects—individuals whose personal data is being processed—a number of rights with respect to their personal data. These rights include:
- The right to be informed about the processing of their personal data. Organizations must provide individuals with clear and concise information about how their personal data is being used, who it is being shared with, and their rights under GDPR.
- The right to access their personal data and to obtain a copy of it. Organizations must respond to requests for access to personal data within one month, and provide the data in a structured, commonly used, and machine-readable format.
- The right to request that their personal data be rectified if it is inaccurate or incomplete.
- The right to request that their personal data be erased in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected or when the data subject withdraws consent.
- The right to restrict processing of their personal data in certain circumstances, such as when the accuracy of the data is contested or when the data subject objects to the processing.
- The right to object to the processing of their personal data dependent on their particular situation, unless the organization can demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject.
MedTech and medical software companies must ensure that they provide data subjects with the necessary information and mechanisms to exercise these rights. This may involve implementing technical measures to ensure the secure and timely handling of data subject requests.
International Data Transfers
The GDPR contains rules for the transfer of personal data outside the European Economic Area to countries that do not have an adequate level of data protection. Organizations must ensure that any international data transfer is conducted in compliance with these requirements.
Organizations must also ensure that device and software users are provided with clear information about any international data transfers, and obtain their explicit consent for such transfers where necessary.
In addition, organizations must ensure that any service providers or partners involved in the processing of personal data are contractually bound to comply with GDPR requirements. Appropriate technical and organizational measures must be in place within partner organizations to ensure the security and confidentiality of personal data during international data transfers.
Data breaches occur when personal data is accidentally or unlawfully disclosed, destroyed, lost, altered, or accessed by unauthorized persons. For MedTech and medical software companies, data breaches affecting sensitive medical or health-related information can have serious consequences for their users.
GDPR requires organizations to report any data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Organizations must also inform individuals whose personal data has been affected by the breach.
Companies must implement appropriate technical and organizational measures to ensure the security of personal data, such as encryption, access controls and authentication mechanisms, vulnerability assessments and security testing, staff training, and incident response plans.
Given the sensitivity level of the data MedTech companies process, it’s vital that they conduct thorough risk assessments to identify potential vulnerabilities and implement appropriate measures to mitigate them. Organizations should also regularly review and update their security measures to keep up with changing security threats.
Data Privacy and the MedTech Development Lifecycle
Medical devices and certain health apps must comply with the EU’s Medical Device Regulation (MDR). If these apps and software also gather data, then they must demonstrate compliance with the GDPR before MDR compliance can be achieved.
Regardless of medical device status, the cost of noncompliance with the GDPR when marketing products that process personal data in the EU can be steep. Certain data protection violations carry fines of up to 20 million euros or 4% of the organization’s total global turnover of the preceding fiscal year, whichever is higher.
By integrating GDPR requirements into its development lifecycle, MedTech and SaMD companies can help protect the privacy and security of personal data, mitigate potential risks, and avoid legal consequences for noncompliance. This integration begins in the planning process, is vital during development, and continues long after the device or software hits the market.
If you have questions about integrating data protection and privacy into the development of your medical technology, SaMD, or connected app, we have the answers. Connect with us today to learn more about how Sequenex can help your company achieve GDPR compliance and find success in the EU market.