EU General Data Protection Regulation GDPR

The EU General Data Protection Regulation must be complied with starting at 25 May 2018, at the latest.

Many companies, amongst them also medical device manufacturer and operators such as hospitals, are not adequately prepared.

This article gives you a review of the main concepts and requirements of the General Data Protection Regulation and examines aspects relevant to medical devices.

• Objectives of the GDPR
• Fundamentals: Scope, Terms, Principles
• Roles
• Rights & Duties
• Consequences: Manufacturers and Operators

On 14 April 2016, the EU Parliament adopted the EU General Data Protection Regulation. Companies must comply with this regulation starting 25 Mai 2018, without any additional transitioning period.

a) Objective 1: Harmonized data protection law throughout Europe

One aim of the regulation is to replace the fragmented, national data protection law by uniform, pan-European standards. Consequently, the Federal Data Protection Act BDSG had to be revised to a great extent. This was done. It becomes effective on 25 May 2018, at the same date as the GDPR.

b) Objective 2: Strengthen data protection

With the General Data Protection Regulation, the EU Commission intents to create the legal basis for an increasingly digitalized society. For this, requirements for privacy are strengthened substantially and severe fines are imposed on infringements - up to 4% of revenues (not profit!) or 20m EUR - illustrate how serious the Commission is about privacy.

The amount of the fine depends on factors such as

• nature and amount of the data affected by the data breach,
• company's willingness to cooperate with authorities
• protective measures put in place by the company,
• as well as the respective history of the company, and
• time needed by the company to inform authorities and affected persons.

c) Objective 3: Strengthen further rights of citizens

General Data Protection Regulation not only intends to strengthen privacy, but also rights of citizens going beyond data protection.

Those rights include, inter alia:

• citizens may transmit personal data
• they may ask to view their data
• they must be informed about the purpose of data processing
• they are granted the right to demand incorrect data to be corrected and, in general, to demand all data to be erased

Examples of personal data

Examples of personal data are: name, abode, identification number, IP address of visited websites, and data on physical, physiological, genetic, mental, economic, cultural or social concerns.

Hence, personal data is not at all limited to data needed to identify a person. If the data did not comprise any date which by itself or in combination with other (external) data allowed for identification, the data would not be personal.

"Special categories" of personal data

GDPR classifies data as requiring particular protection if it is suited to reveal

• "racial or ethnic origin,
• political opinions,
• religious or philosophical beliefs, or
• trade union membership", as well as
• "genetic data
• biometric data for the purpose of uniquely identifying a natural person,
• data concerning health or
• data concerning a natural person’s sex life or sexual orientation".

c) Fundamentals and principles

Ban with permit reservation

In general, processing of personal data is prohibited, unless certain conditions are fulfilled and at least one of the following stipulations is met:

• the data subject has consented (for a specific purpose)
• processing is necessary for the performance of a contract to which the data subject is party
• processing is necessary for compliance with a legal obligation
• processing is necessary in order to protect the vital interests of the data subject or of another natural person (e.g. contagious disease)

Commercial interests

GDPR also considers commercial interests and promotes free movement of data within Europe.

Further principles

Further principles (besides, e.g., consent obligation and transparency) are:

• data minimisation
• earmarking
• accuracy
• (temporal) "memory limitation"
• accountability
• integrity and confidentiality

Privacy by Design and Privacy by Default

"Privacy by Design" refers to a product's or technology's characteristic that the principles of privacy were taken into account at the time of its development and constructing. The product may, for instance, erase data of individual persons affected, or it may pseudonymize the data even before it is stored.

"Privacy by Default" means that a product's or technology's highest privacy settings are activated right from the beginning. Applied to a website, this would mean that, for example, "personal cookies" are deactivated and may only be used on the condition of consent.

a) Person controlling data processing

Examples of controllers are employers, hospitals and companies offering products and services via their website.

b) Processor

Classic examples of processors are computer centers, and providers of cloud services or software as a service.

Companies such as Google or Amazon can take on two roles: They can act as controllers when offering services directly to individuals (e.g. Gmail) and as processors when storing data on behalf of a company, e.g. when a controller uses Amazon Webservice.

c) Data subject

All individuals resident in the EU can be a "data subject", for instance in their role as employee, patient and customer.

d) Data protection officer

GDPR usually requires controllers and processors to designate a data protection officer. Read more on the officer's responsibilities, rights and duties, as well as exemption clauses below.

a) Subjects

The data subjects have the following rights:

• they may request copies of their data in a machine-readable format which is suited for further processing
• Subjects have the right to transmit those data to another controller
• They are further free to demand the erasure of their data on the condition that there are no overriding legitimate grounds
• Subjects may also call for rectification of their data

However, only the data provided by the subject fall within the scope of those rights; data derived from the provided data is not included. For instance, citizens may claim erasure of data concerning is income, name or residence from the Schufa, but not erasure of the Schufa score calculated from those data. Nevertheless, the controller must expose that the calculations were performed and must provide information of the "logic involved, as well as the significance and the envisaged consequences of such processing for the data subject".

The data subject is appertained to a prompt reaction, normally 30 days. There are restrictions, though. For instance, if a company as many or very complex requests.

b) Companies controlling data processing

The following list presents only an excerpt of the requirements for "controllers":

• Granting subjects the rights mentioned above
  Controllers must grant the subjects the above-mentioned rights and, for example, provide information on which data are stored for which purpose and for how long.
• Organisational and technical protection measures
  They must provide appropriate (state of the art) protection of data. Pseudonymisation can be one approach.
• Communication of an incident
  In case of an incident, the respective data subject (without undue delay) and the authorities (within 72 hours) are to be informed.
• Contract with processors
  If you commission another natural or legal person to process data, you have to enter into a contract with that person.
• Data protection officer
  For companies with 10 or more employees, data protection officers are obligatory. This is, however, not stipulated by the General Data Protection Regulation, but by the revised BDSG.

c) Companies processing data on behalf of a controller

Just as controllers, processors must implement all appropriate technical and organisational measures to ensure data protection. The same applies to the data protection officer.

Subcontracting is only permitted with the controller's approval.

They must comply with the controller's instructions.

a) Consequences for operators

Operators such as hospitals take on the role of "controllers" and must meet the respective legal requirements. To meet them, the following tasks are probably waiting to be dealt with:

• identification of stored data; clarification of intended purpose
• identification of processes and systems for data processing
• evaluation and establishment of security of information technology
• evaluation and establishment of conformity of data processing (also includes websites)
• evaluation and preparation of contracts with processors
• improvement and preparation of data protection declarations
• appointment of a data protection officer
• improvement or installation of process instructions (e.g. responding to emergencies)
• installation of complaint management (website, staff, processes, systems)
• training of employees

b) Consequences for manufacturers

Besides, consequences for manufacturers regarding designing devices and processes emerge. They must, inter alia, meet the system requirements:

• specific erasure of individual person's / patient's datasets
• export of datasets in a processible format, e.g. XML, if neccessary with explanations
• ensure the devices' IT security. This includes the capability of importing or removing patches and updates at short notice
• training of employees (e.g. developers)
• amending process instructions concerning data protection and IT security, e.g. process instructions for development, support, decommissioning, post-market surveillance, risk management

The requirements of "Privacy by Design" and "Privacy by Default" explicitly address manufacturers, too.

Further, manufacturers shall comply with the requirements for IT security which constitute a prerequisite for data protection. Comprehensive requirements for (IT security of) devices stem from various standards such as the UL 2900 family of standards and the FDA Cybersecurity Guidances. We compiled an overview of those requirements which you can access using Auditgarant.

For one, the EU GDPR has remarkably raised the bar. Everyone processing personal data is allowed to do so only if the data subject has given his or her consent (or if other provisions permit to do so).

On the other hand, controllers are given the chance to attain legal conformity, e.g. by making use of pseudonymisation and by creating transparency.

Nevertheless: The demands on technology, information, documentation, and evidence are immense.

There is in particular the risk that a new influx of warnings will descent upon companies. In the light of this, and of the horrendous fines, urgent priority should be given to implementing the EU General Data Protection Regulation by manufacturers and operators.

The future will show if the General Data Protection Regulation has succeeded in balancing interests of companies and individuals and in circumventing a bureaucratic monster.