Data Protection for Medical Device Manufacturers

Since the GDPR ((EU) 2016/679) came into force in May 2018,?the way we need to?go concerning?personal data has changed?and?many?obligations were placed on controllers and?processors of personal data.?But?what about?the?manufacturers of?medical?devices? Some might say?they do not need to do anything?-?EUMEDIQ?would?disagree?on that.??

Since cases like the one of the “Deutsche?Wohnen” in 2019 showed that misconfigured or even?GDPR?insufficient products could lead into an?enforcement?by a DPA?(Data Protection Agency), also device?manufacturers?should?pay?some attention to?data privacy by design and default.?This?is written in the GDPR?recital?78?as well?“[...]?When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.”?The combination of some enforcements and findings brought the?German?data protection authorities to the point to propose direct obligations to providers of hard and software back in December 2019.?Such proposals and enforcements show that there is a?growing?responsibility?for a?manufacturer, besides the?accountability?for internal personal data.?The MDR article 110?& IVDR article 103?highlights?this?using the term?“Data Protection”?while referring to?the directive?95/46/EC. The?GDPR?repealed the directive and therefore is directly addressed as?the?directive's?successor.?Data Protection by Design and Default (GDPR Art. 25) according to the principles of data protection (GDPR Art. 5) should be considered deeply during the development of?products that?will be provided?on premise to the market.?I.e.,?laboratory instruments?working with?pseudonymised?sample?IDs and additional information about the test?identifying a patient?shall?delete such information after they are transferred to a?laboratory?information?management?system?as the purpose?of the laboratory instrument?limits (with regards to?the operating?set up) the need to store the personal data. Such technical measures implemented to the products will have?at least?two benefits. The?first?and direct?one is that?data controllers and processors are enabled with?these?medical?devices?to act?easily?according to their obligations. The second is?the customer recognition of the features provided by such medical devices.?This will?increase the trust into the?manufacturer?and?it is a selling proposition for such products.

Written by Roland Schnitter, Senior Consultant at EUMEDIQ