GDPR for Medical Devices

The growth of the Internet has brought connected medical devices to the fore. They can help with everything from the monitoring of patients to the collection and use of statistical data. This helps to improve medical care across the globe and progresses the medical knowledge of health professionals. The use of these devices provides many financial and efficiency benefits for healthcare providers as well as helping to improve the safety of patients. In order for these devices to be successful, it is necessary to collect and process the personal data of individuals.

The concern for businesses and organisations that process the personal health information of individuals who live within the European Union is that they need to ensure they comply with the stipulations detailed in the General Data Protection Regulation (GDPR), once it becomes law on May 25 2018. This is especially important in respect of personal data that directly relates to health as this type of data is considered to be high risk under GDPR rules.

Protection of Data Relating to Health

GDPR applies to all types of health related data. This data includes:

  • Information gathered when registering for any form of medical treatment.
  • Unique identifiers assigned to individuals. This can include hospital admission numbers, for instance.
  • Any results of medical examinations and testing.
  • Any information regarding the condition of health, or the treatment, of an individual.

All of this information is subject to the rules of GDPR once it becomes law.

Requirement for a Privacy Impact Assessment

Under the stipulations of GDPR, it is compulsory for every business or organisation that is involved with processing personal health information to conduct a Privacy Impact Assessment (PIA), before data is processed. This is because this type of personal data is considered to be high risk, when it comes to protecting the rights and freedoms of the individual. These assessments have to include information regarding the necessity for processing the data, with regard to the privacy rights of the individual. They also need to include full details of the steps that the business or organisation has taken in order to ensure compliance with GDPR stipulations.

This compliance is an essential aspect of the running of any business or organisation. For businesses that deal with medical devices, and their use, non-compliance could have very serious consequences. The costs can be enormous, from a reputational and financial point of view. It is possible for the relevant Data Protection Authority (DPA) to impose fines of up to €20m or 4% of annual turnover, whichever is higher, in cases of non-compliance. No business or organisation can afford for this to happen. Arguably, reputational damage could be even more costly. People are likely to be wary of dealing with an organisation that has found to be in breach of data protection and privacy laws. This situation can be difficult to rectify. It can take years for a sense of trust to be restored.