GDPR and Medical Devices

by | May 20, 2019

The EU’s General Data Protection Regulation (GDPR) became enforceable on May 25, 2018, as did financial penalties for breaching the legislation.

Mainly, GDPR is applicable to the back end workings of medical devices there is also a great deal concerning the Cloud, Databases, transportation of data and the software on medical devices themselves.

There are a number of important considerations to take into account:

GDPR Medical Devices and Consent

The most important thing to consider is consent. This is the main concern in relation to using a medical device for accessing or managing sensitive patient data.  If the patient is using the he medical device there must be a completed consent form from the patients must be on record. This will mean that the patient in question has acknowledged their rights and given their consent consent for the processing of their information.

Configuration of Medical Devices

Medical devices must be configured to safeguard the patients’ data, otherwise a breach may occur and your company could be subjected to a GDPR fine. These fines can be as high as €20m or 4% of annual global revenue, whichever figure is higher, depending on the extent and range of the breach that occurred.

In situation where the device is being used by medical staff, each individual must be able to demonstrate that their patient understands and gives consent to the processing  of their data that will take place on the medical device (or on the back end).

Data Encryption

Data Encryption the data on medical devices at rest and in transit is most important. Phones that are linked to medical devices should be considered medical devices for purposes of compliance with GDPR Article 32.

Other GDPR Medical Devices Considerations

  • If data processing takes place on the medical device, it will need to be recorded as a place of processing on reports that may go back to the patient.
  • If processing on the device is thought of as high-risk, it will need a formal and recorded risk assessment.
  • Patients also can ask for processing to be ended or suspended while particulars in their data or account are being overlooked.

Rights allocated to data subjects reinforced through GDPR are:

  • The right to be advised of the type of processing of their data that will be happening.
  • The right to access and overlook the data that is being used to make decisions in relation to the data subject
  • The right to be forgotten once the service comes to an end.
  • The right to data portability, where the service supplier must provide the data subject their data in electronic format

These rights have many dedicated processing requirements incorporated and the relevant Supervisory Authorities, those groups that enforce GDPR, will have policies in relation to how these rights should be applied.

You should be sure that all medical devices that your company is implementing in relation to data management are being used in a manner complaint with GDPR. If not you company could end up on the end of a GDPR sanction notice that could, potentially, include a massive fine.

Related GDRP Articles

GDPR Compliance Checklist


GDPR Email Requirements

GDPR Training

GDPR Requirements

GDPR Summary

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy