What is the impact of the General Data Protection Regulation (GDPR) and the EU-MDR on medical devices that process personal data?

Since the increasing connectivity (Internet of Things) of medical devices over IT-Networks, like cloud solutions and the rapid integration and use of software applications (standalone or integrated), data protection is an essential requirement to preserve patient safety. A security breach can have a serious impact on patient safety either in the control of the device itself or in-patient data. 

The debate on cybersecurity has exploded and already the wording that we are in the age of cyberwar is out. Also, the awareness of privacy and ownership of personal data has really started off. With the penetration of social networks in our lives, privacy and associated protection could become the next luxury or quality of well being. A lot of information about data protection and the MDR in Europe is available online.
However, I have not read clear answers or pathways on how to approach the question: “How can manufacturers of medical devices include data protection into their product design and quality systems and what is the impact of the upcoming General Data Protection Regulation (GDPR) in Europe? So, I have written some basic information about Data Protection and I will share with you, in multiple blogs, the steps for implementation of data protection into your medical device.

What does the EU-MDR say about data protection?

Regulators recognized that safety and security risk management require an integrated approach in the design of medical devices. The European Union published the Medical Device Regulation (EU) 2017/745 (MDR) which will be in effect on 26 May 2020. In Annex I General Safety and Performance Requirement 14.2 d) ‘the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts’ clearly refers to the relation between safety and security. Article 110 of the MDR requires the application of Directive 95/46/EC on the Protection of individuals with regard to the processing of personal data and on the free movement of such data. Thus, medical devices in an IT-environment must be developed and maintained by application of safety and security risk management.


The European Parliament has adopted the General Data Protection Regulation (GDPR EU 2016/679), that will be effective from May 25th, 2018. GDPR replaces Directive 95/46/EC and will be directly applicable in all Member States of the EU. The GDPR regulates the processing of personal data and the free movement of personal data of persons within the EU.

What is GDPR?

It is a privacy law.

1) GDPR lays down rules relating to the protection of natural persons about the processing of personal data and rules relating to the free movement of personal data; and 
2) it protects fundamental rights and freedoms of natural persons and their right to the protection of personal data.

What we see here are the two fundamentals of the GDPR: protection of personal data during processing and fundamental ‘privacy’ rights. Although the word ‘privacy’ is not mentioned once in the body of the text, GDPR gives fundamental privacy rights to persons, such as the ‘the right to be left alone’ or the ‘right to be forgotten’. These fundamental privacy rights and freedoms of a person are explicit and non-negotiable by the GDPR acting as a law. 

What the GDPR basically does is add a third domain, viz.  privacy risk management, to two domains we already signaled, i.e., safety and security risk management. Privacy risk management is decomposed into two pillars: 1) the protection of fundamental rights and freedoms of persons; 2) the management of privacy risks.
Thus, medical devices that process personal data must be developed and maintained by application of privacy risk management.

What does this mean for you as a manufacturer of medical devices in an IT environment that processes personal data?

With MDR and GDRP published, it is now clear for manufacturers of medical devices that process personal data and place their products on the EU market, to comply to both regulations.

As said, GDPR is in effect on May 25th, 2018, there is no transition period and penalty fines are high, up to 4% of worldwide revenue. With less than 6 months before the deadline, GDRP Readiness should be your top priority.

Also, a company outside the EU which is targeting consumers in the EU will be subjected to the GDPR.

Thus, medical devices operating in an IT-environment that processes personal data must be developed and maintained by application of risk management in 3 domains:
> Safety;
> Security; and
> Privacy.

In my next blogs, I will go deeper into the domains:

  • Integration of safety and security risk management in your design and postmarked activities;
  • Privacy Risk Management and Data Protection Impact Assessment;
  • Processes that define the responsibilities and trigger the activities that generate your compliance files;
  • Contract requirements of the GDPR.

If you require support or resources, do not hesitate to contact Qserve’s team of experts.



Next blog (part 2): How cyber security: system and data protection for medical devices will help you prepare for the upcoming EU-GDPR!

Next blog (part 3): GDPR (EU) 2016/679: the application of Data Protection for manufacturers in the medical device industry

Want to know more? Sign up for Qserve's webinar and keep an eye on our events calendar for all our trainings. 

Jaap Noordmans
Post date: November 28, 2017
How can we help you? Contact us