GDPR and Medical Devices

The EU’s General Data Protection Regulation (GDPR) became enforceable on May 25, 2018, as did financial penalties for breaching the legislation.

Mainly, GDPR is applicable to the back end workings of medical devices there is also a great deal concerning the Cloud, Databases, transportation of data and the software on medical devices themselves.

There are a number of important considerations to take into account:

GDPR Medical Devices and Consent

The most important thing to consider is consent. This is the main concern in relation to using a medical device for accessing or managing sensitive patient data.  If the patient is using the he medical device there must be a completed consent form from the patients must be on record. This will mean that the patient in question has acknowledged their rights and given their consent consent for the processing of their information.

Configuration of Medical Devices

Medical devices must be configured to safeguard the patients’ data, otherwise a breach may occur and your company could be subjected to a GDPR fine. These fines can be as high as €20m or 4% of annual global revenue, whichever figure is higher, depending on the extent and range of the breach that occurred.

In situation where the device is being used by medical staff, each individual must be able to demonstrate that their patient understands and gives consent to the processing  of their data that will take place on the medical device (or on the back end).

Data Encryption

Data Encryption the data on medical devices at rest and in transit is most important. Phones that are linked to medical devices should be considered medical devices for purposes of compliance with GDPR Article 32.

Other GDPR Medical Devices Considerations

  • If data processing takes place on the medical device, it will need to be recorded as a place of processing on reports that may go back to the patient.
  • If processing on the device is thought of as high-risk, it will need a formal and recorded risk assessment.
  • Patients also can ask for processing to be ended or suspended while particulars in their data or account are being overlooked.

Rights allocated to data subjects reinforced through GDPR are:

  • The right to be advised of the type of processing of their data that will be happening.
  • The right to access and overlook the data that is being used to make decisions in relation to the data subject
  • The right to be forgotten once the service comes to an end.
  • The right to data portability, where the service supplier must provide the data subject their data in electronic format

These rights have many dedicated processing requirements incorporated and the relevant Supervisory Authorities, those groups that enforce GDPR, will have policies in relation to how these rights should be applied.

You should be sure that all medical devices that your company is implementing in relation to data management are being used in a manner complaint with GDPR. If not you company could end up on the end of a GDPR sanction notice that could, potentially, include a massive fine.