Since the GDPR ((EU) 2016/679) came into force in May 2018, the way we need to go concerning personal data has changed and many obligations were placed on controllers and processors of personal data. But what about the manufacturers of medical devices? Some might say they do not need to do anything – EUMEDIQ would disagree on that.
Since cases like the one of the “Deutsche Wohnen” in 2019 showed that misconfigured or even GDPR insufficient products could lead into an enforcement by a DPA (Data Protection Agency), also device manufacturers should pay some attention to data privacy by design and default. This is written in the GDPR recital 78 as well “[…] When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.” The combination of some enforcements and findings brought the German data protection authorities to the point to propose direct obligations to providers of hard and software back in December 2019. Such proposals and enforcements show that there is a growing responsibility for a manufacturer, besides the accountability for internal personal data. The MDR article 110 & IVDR article 103 highlights this using the term “Data Protection” while referring to the directive 95/46/EC. The GDPR repealed the directive and therefore is directly addressed as the directive’s successor. Data Protection by Design and Default (GDPR Art. 25) according to the principles of data protection (GDPR Art. 5) should be considered deeply during the development of products that will be provided on premise to the market. I.e., laboratory instruments working with pseudonymised sample IDs and additional information about the test identifying a patient shall delete such information after they are transferred to a laboratory information management system as the purpose of the laboratory instrument limits (with regards to the operating set up) the need to store the personal data. Such technical measures implemented to the products will have at least two benefits. The first and direct one is that data controllers and processors are enabled with these medical devices to act easily according to their obligations. The second is the customer recognition of the features provided by such medical devices. This will increase the trust into the manufacturer and it is a selling proposition for such products.
Written by Roland Schnitter, Senior Consultant
Subscribe to EUMEDIQ’s newsletter – Link