The EU General Data Protection Regulation must be complied with starting at 25 May 2018, at the latest.
Many companies, amongst them also medical device manufacturer and operators such as hospitals, are not adequately prepared.
This article gives you a review of the main concepts and requirements of the General Data Protection Regulation and examines aspects relevant to medical devices.
On 14 April 2016, the EU Parliament adopted the EU General Data Protection Regulation. Companies must comply with this regulation starting 25 Mai 2018, without any additional transitioning period.
One aim of the regulation is to replace the fragmented, national data protection law by uniform, pan-European standards. Consequently, the Federal Data Protection Act BDSG had to be revised to a great extent. This was done. It becomes effective on 25 May 2018, at the same date as the GDPR.
With the General Data Protection Regulation, the EU Commission intents to create the legal basis for an increasingly digitalized society. For this, requirements for privacy are strengthened substantially and severe fines are imposed on infringements - up to 4% of revenues (not profit!) or 20m EUR - illustrate how serious the Commission is about privacy.
The amount of the fine depends on factors such as
General Data Protection Regulation not only intends to strengthen privacy, but also rights of citizens going beyond data protection.
Those rights include, inter alia:
All natural and legal persons (usually companies) processing personal data must comply with the General Data Protection Regulation. The regulation applies to all sectors and sizes of companies.
It is further negligible if data is processed automatically or manually. GDPR is not even restricted to electronic data. Even though a "filing system" is mentioned, the term is defined to mean "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis".
All companies which process personal data "in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not" must apply the GDPR.
Companies processing personal data of European citizens or residents must obey the GDPR, even if they are established outside of the EU (fig. 2). With this, the EU had certainly also kept an eye on companies such as Facebook and Google.
The General Data Protection Regulation only grants exceptions if data is processed in the course of a purely personal activity or if the processing is carried out for the purposes of national security and criminal prosecution.
Personal data is defined by the General Data Protection Regulation as any information relating to an identified or identifiable natural person.
"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
Examples of personal data are: name, abode, identification number, IP address of visited websites, and data on physical, physiological, genetic, mental, economic, cultural or social concerns.
Hence, personal data is not at all limited to data needed to identify a person. If the data did not comprise any date which by itself or in combination with other (external) data allowed for identification, the data would not be personal.
GDPR classifies data as requiring particular protection if it is suited to reveal
In general, processing of personal data is prohibited, unless certain conditions are fulfilled and at least one of the following stipulations is met:
GDPR also considers commercial interests and promotes free movement of data within Europe.
Further principles (besides, e.g., consent obligation and transparency) are:
"Privacy by Design" refers to a product's or technology's characteristic that the principles of privacy were taken into account at the time of its development and constructing. The product may, for instance, erase data of individual persons affected, or it may pseudonymize the data even before it is stored.
"Privacy by Default" means that a product's or technology's highest privacy settings are activated right from the beginning. Applied to a website, this would mean that, for example, "personal cookies" are deactivated and may only be used on the condition of consent.
The General Data Protection Regulation stipulates several roles:
"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"
Examples of controllers are employers, hospitals and companies offering products and services via their website.
"a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller"
Classic examples of processors are computer centers, and providers of cloud services or software as a service.
Companies such as Google or Amazon can take on two roles: They can act as controllers when offering services directly to individuals (e.g. Gmail) and as processors when storing data on behalf of a company, e.g. when a controller uses Amazon Webservice.
All individuals resident in the EU can be a "data subject", for instance in their role as employee, patient and customer.
GDPR usually requires controllers and processors to designate a data protection officer. Read more on the officer's responsibilities, rights and duties, as well as exemption clauses below.
The data subjects have the following rights:
However, only the data provided by the subject fall within the scope of those rights; data derived from the provided data is not included. For instance, citizens may claim erasure of data concerning is income, name or residence from the Schufa, but not erasure of the Schufa score calculated from those data. Nevertheless, the controller must expose that the calculations were performed and must provide information of the "logic involved, as well as the significance and the envisaged consequences of such processing for the data subject".
The data subject is appertained to a prompt reaction, normally 30 days. There are restrictions, though. For instance, if a company as many or very complex requests.
The following list presents only an excerpt of the requirements for "controllers":
Just as controllers, processors must implement all appropriate technical and organisational measures to ensure data protection. The same applies to the data protection officer.
Subcontracting is only permitted with the controller's approval.
They must comply with the controller's instructions.
Click here to read the GDPR's source text on the website of the EU.
Operators such as hospitals take on the role of "controllers" and must meet the respective legal requirements. To meet them, the following tasks are probably waiting to be dealt with:
Besides, consequences for manufacturers regarding designing devices and processes emerge. They must, inter alia, meet the system requirements:
The requirements of "Privacy by Design" and "Privacy by Default" explicitly address manufacturers, too.
Further, manufacturers shall comply with the requirements for IT security which constitute a prerequisite for data protection. Comprehensive requirements for (IT security of) devices stem from various standards such as the UL 2900 family of standards and the FDA Cybersecurity Guidances. We compiled an overview of those requirements which you can access using Auditgarant.
The Johner Institute assist you in amending process instructions and system requirements to ensure compliance with requirements for data protection and IT security, thus attaining legal conformity and legal security.
For one, the EU GDPR has remarkably raised the bar. Everyone processing personal data is allowed to do so only if the data subject has given his or her consent (or if other provisions permit to do so).
On the other hand, controllers are given the chance to attain legal conformity, e.g. by making use of pseudonymisation and by creating transparency.
Nevertheless: The demands on technology, information, documentation, and evidence are immense.
There is in particular the risk that a new influx of warnings will descent upon companies. In the light of this, and of the horrendous fines, urgent priority should be given to implementing the EU General Data Protection Regulation by manufacturers and operators.
The future will show if the General Data Protection Regulation has succeeded in balancing interests of companies and individuals and in circumventing a bureaucratic monster.
Click here to read the article on regulatory requirements for data protection in healthcare.