With the digital medical device being more and more spread all over the world and being further pushed by Covid pandemic situation, the General Data Protection Regulation (GDPR) became in the last here extremely important.
GDPR can be considered the main european digital privacy legislation.
The GDPR, with the official reference being Regulation (EU) 2016/679, includes the main requirements associated to data privacy and security. It is surely a tough regulation, not only in terms of fully understanding the requirements and way in which it is possible to show compliance, but also in terms in terms of penalties that may reach tens of millions of euros for those ones being unable to be aligned with the GDPR.
Nowadays the use of personal data by external companies became more and more spread and thus it was necessary to have a strict low that regulates the privacy of the users and the security of the data collected from users.
This is valid as well for medical device companies. The increased importance of digital health technologies and their abilities to collect personal medical information made the GDPR fully applicable to medical device industries.
In this article we will go through the main requirements associated with the General Data Protection Regulation, highlighting the main principles behind the regulation and the main documentation needed to demonstrate compliance with this regulation.
What are the principles of the GDPR?
The articles 5 of the GDPR provides a precise overview of the main principles associated to this european regulation. There are in general 7 principles that can be summarized below in the scheme below.
We will go through all these seven principles, in order to explain in detail what are the pillars of the European General Data Protection Regulation (GDPR).
Lawfulness, fairness and transparency according to GDPR
First, it is stated that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject”.
The concept of lawfulness is quite straightforward and it basically means that the GDPR must regulation must always be respected when dealing with data collected from EU citizens. The activity of “dealing with data” may include different actions such as data collection, data storing and data processing.
Fairness shall ensure that the actions and the use of the collected data shall be aligned with what has been communicated to the customer or user before the collection started.
FInally, the concept of transparency is related adequate information that need to be provided to the data subject to inform the purpose of data collection. Obviously, also the timeframe is important and the duration of data processing shall be aligned with the information provided to the data subject.
Purpose limitation
The purpose of the collection of data needs to be clearly communicated to the data subject and, in general, to the client. As stated in the GDPR, this purpose must be “specified, explicit and legitimate”. Basically, in other words, it is possible to collect data exclusively for the purpose that has been communicated before the data collection started and for which the data subject provided its consensus.
Data Minimization
The regulation states that “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
What does it mean from practical standpoint? It means that the collection of data shall be minimized as much as possible. The amount and type of data collected shall be properly justified, thus it is not possible to collect data with no specific reason or justification.
Accuracy
It is impossible to collect personal data without keeping a certain level of accuracy of the data. It is necessary to regularly check whether there are invalid or outdated data and it is fully responsibility of the data controller to do so, according to GDPR.
Storage Limitation
Article 5(1)(e) of GDPR mentions the concept of storage limitations. The concept is quite wide but basically the principle is related to the necessity to store personal data for a limited timeframe; data that are not needed shall not be kept. Organizations may perform periodic reviews to identify, and address, data stored beyond intended use.
From practical stand point, organisation may have in place a data retention policy, similar to the requirements associated to document control requirements according to ISO 13485:2016 and European Medical Device Regulation. Typically, when there are data that are no longer needed or that are stored over the retention period, the organization may either erase, anonymize, or pseudonymize the data.
Integrity and confidentiality
Integrity and confidentiality are key factors for data security. In fact, for example, the concept of data integrity is an essential for computer system validation and related regulations, such as 21 CFR Part 11.
The GDPR text mentions the following:
Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
As it can be seen, the requirements aree rather broad and it is up to the organization to ensure to have adequate level of security in place. This may include access control to applications where data are stored, backup policy, business continuity plan in order to ensure to have a recovery plan ready in case of need.
Moreover an active monitoring may be in place to make sure to be always aligned with the measure to be taken to ensure integrity and confidentiality of the collected data.
Accountability: the last GDPR principle
The last GDPR principle is accountability. The principle of accountability is simple: the data controller shall be able to demonstrate compliance to the GDPR. In order to achieve regulatory compliance, several actions may be necessary, including, for example, training of the personnel, designate responsibilities for data protection inside the organisation, appoint a DPO (Data Protection Officer) and ensure and adequate level of documentation.
Conclusions
In conclusion, we went through a high level introduction of the main principles associated to the General Data Protection Regulation in Europe. This regulation is quite complex but it has a big impact on the for digital medical device companies that are dealing with a big amount of personal data.
In the coming months, a series of article on the GDPR will be published on QualityMedDev, in order to help and support the effort of the organisations to reach a good level of compliance against this regulation.
QualityMedDev Newsletter
QualityMedDev is an online platform focused on Quality & Regulatory topics for medical device business.
Thanks to QualityMedDev newsletter, you will stay updated with the most recent articles published on the website, along with news from the regulatory world, particularly in the context of the new EU MDR and IVDR.
Do not forget to have a look at our services, specifically focused in two main topics:
- The construction of a brand new quality system
- Activities of software validation / computer system validation, either for software embedded to a medical device or for software used within the quality system.
- Trainings over a broad range of quality and regulatory topics.
If you have any topic for which you would like to have more information or you need template or documentation that is currently not available in our QualityMedDev Shop, do not hesitate to contact us and we will do our best to fulfil your request.
- &
- 7
- access
- active
- All
- applications
- article
- articles
- Backup
- BEST
- business
- business continuity
- coming
- Companies
- compliance
- Consensus
- construction
- controller
- Covid
- data
- data privacy
- Data Privacy and Security
- data processing
- data protection
- data security
- dealing
- detail
- digital
- Digital Health
- digital privacy
- EU
- Europe
- European
- Euros
- GDPR
- General
- General Data Protection Regulation
- good
- Health
- here
- High
- HTTPS
- identify
- Impact
- Including
- industries
- information
- IT
- keeping
- Key
- Legislation
- Level
- Limited
- measure
- medical
- medical device
- mentions
- monitoring
- months
- Navigation
- news
- Newsletter
- Officer
- official
- online
- order
- Organisations
- Other
- pandemic
- personal data
- Personnel
- platform
- plugin
- policy
- Posts
- privacy
- Privacy and Security
- protection
- quality
- range
- recovery
- Regulation
- regulations
- Regulatory Compliance
- Requirements
- Reviews
- security
- Series
- Simple
- So
- Software
- spread
- started
- States
- stay
- storage
- store
- support
- system
- Technical
- Technologies
- Topics
- Training
- Transparency
- us
- users
- Website
- What is
- within
- WordPress
- words
- world
