EU Medical Device Regulation and EU General Data Protection Regulation intersection
Summary: I. Background – II. EU MDR and EU GDPR intersection – III. Minimization of risk: pseudonymization and DIA (Data Impact Assessment) – IV. Post market clinical follow up and EU GDPR: cybersecurity guidances – V. Conclusions
The Medical Device Regulation (EU MDR), which was adopted in April 2017 amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC, became applicable in the European Union, 26 May 2021. The Regulation on Medical Devices (Reg. (EU) 2017/745) and on In-Vitro Diagnostic Devices (Regulation (EU) 2017/746) introduced new responsibilities for the European Medicines Agency (EMA) and the competent authorities in the medical device’s assessment and classification.
Medical Devices in Eu must demonstrate to meet all the mandatory requirements to ensure they are safe and perform as intended and EU Member States can accredit notified bodies to conduct conformity assessments and get the Declaration of Conformity (DoC).
Regulation (EU) 2017/745, provides that when Medical Devices process personal data, they are under the scope of the Data protection rules therefore, also the EU GDPR must be applied.
In general, the Medical devices fall into 4 classes of risk: I, IIA, IIB and III primarily related to the perceived risk of the product type and Manufacturer must proceed with the classification assessment according to the EU MDR Annex VIII criteria. EU MDR differentiates among:
a) Class I devices, posing low/medium risk (e.g., wheelchairs)
b) Class IIa and IIb, representing medium/high-level risk (e.g., X-ray devices)
c) class III, high-risk devices (e.g., pacemakers).
II. EU MDR and EU GDPR intersection
By virtue of the mentioned classification and its consequences, we can determine if the medical device is going to collect personal data and if requires EU EU GDPR compliance accordingly.
The process to comply with EU MDR and EU GDPR provisions is structured in some specific parallel stages:
– Investigate the EU MDR category getting the ISO 13485 (QMS) and identifying the type of data that will be collected accordingly
– Requirement of ISO 13485 must be satisfied, and the Data Privacy compliance assessment must be completed.
– Perform document reports and ensure data security
– Surveillance activities and data subject consent tracking
– Tracking of documentation of ongoing changes as well as data scale backend
It’ s indisputable that the medical device industry growth brought on board the impressive increasing of use of personal data also in terms of real-world data (RWD), producing the exigence to coordinate the Scientific purposes with the data subject rights and safety.
The European General Data Protection Regulation (EU GDPR) is particularly important in that respect since the process of health data collection via medical devices highlights the high legal risk of a lack of harmonization between EU MDR and EU GDPR rules.
By virtue of Article 9 of EU GDPR, we know that, in general, the processing of sensitive data is prohibited. However, an important derogation to this rule is provided by Article 89 (1) EU GDPR with reference to the processing of sensitive data for public interest, scientific or historical research purposes or statistical purposes and only if appropriate safeguards of data subject rights and freedom is guaranteed consistently with the Regulation provisions. While it’s not explicitly mentioned which kind of safeguards must be adopted, Article 89 (1) through a finalistic recall, provides that “technical and organizational measures are in place in order to ensure respect for the principle of data minimization” and that such measures “may include pseudonymization provided that the intended use of the data can still be fulfilled” .
Consistently with the above, there are several areas of the EU MDR that may be of interest to the EU GDPR:
– Post Market Surveillance to ensure that manufacturers monitor their devices on the market and there is clinical follow-up
– Increased transparency: the Eudamed database is accessible to patients, healthcare professionals and the public so that the increased EU MDR transparency, contrasts with the EU GDPR data protection principles.
– Safety and Performance Requirement: the product must be safe and performed as intended throughout its life cycle.
– Clinical Data Requirements: medical devices should have sufficient clinical evidence previously CE marked under Directives 93/42/EEC or 90/385/EEC to demonstrate conformity with the relevant EU GDPR, as per Article 61(1) EU MDR
With the rapid advance of medical devices, the volume of data will incredibly increase therefore the challenge we now face is represented by the protection of the personal data of EU citizens. In particular, EU GDPR has a significant impact on IT data processing especially considering aspects such as data encryption, data storage, access management etc. Thus, considering that EU MDR requires to collect and process data for Adverse events, Vigilance, Safety, as well as Post market clinical follow up (PMCF), it is clear the interaction between the two European regulations. The EU GDPR compliance for processing EU citizens data is a must and it means that in the application of Medical Device Regulation Provisions the manufacturers must adopt all the necessary measures to grant the highest level of Data Protection as per EU GDPR requirements.
Specifically, to meet EU MDR obligations a huge amount of personal data and special categories of personal data are collected and processed so that the Organizations must work to ensure that personal data does not imply individual identification, while remaining compliant with the regulatory requirements.
III. Minimization of risk: pseudonymization and DIA (Data Impact Assessment)
The most important instrument to ensure the non (immediate)-identification of data subject is the pseudonymization process. As per Recital 28 of EU GDPR “The application of pseudonymization to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligation.”. In a nutshell: with this method, data are processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information (which must be stored separately). For instance, it consists in replacing identifying data, (e.g., surname), with indirectly identifying data (e.g., serial number). It is still possible, therefore, to recover the subject identity thanks to third party data. For this reason, the pseudonymized data remains personal data and are under the scope of EU GDPR (differently by the anonymized data in which the identification of the subject is irreversible).
Moreover, according to EU GDPR, medical devices manufacturer can be categorized as both a processor and a data controller so that different obligations, in terms of data processing, fall on the subjects according to their qualification. In any case is always required a data impact assessment (DIA) for organization managing clinical data, to provide information about the purpose of data processing, the data management, and the necessary action to mitigate any risks.
IV. Post market clinical follow up and EU GDPR: cybersecurity guidances
With reference to PMCF the EU EU MDR Annex XIV(B) provides a specific definition: ‘A continuous process that updates the clinical evaluation and that shall be addressed in the manufacturer’s post-market surveillance (PMS) plan.’ It is a systematic clinical data collection and evidence with the purpose of proactively uncovering important safety or performance issues in a CE-marked medical device and updating its clinical evaluation. It is clear that EU GDPR compliance must be taken into account in the PMCF plan development and the key to guarantee a high level of data protection is to adopt strong data security measures as well as an indispensable Informed Consent from data subject.
The Food and Drug Administration (FDA) thoroughly understood the benefit vs risk balance of the PMCF process (patient safety vs data protection needs) and has released a guidance to support manufacturers, the Post Market Management of Cybersecurity in Medical Devices and IEC 29147. In the same direction the Medical Device Coordination Group (MCDG) of the European Commission issued the MDCG 2019-16 Guidance on Cybersecurity for medical devices as per Article 103 of Regulation (EU) 2017/745, with the “primary purpose of this document is to provide manufacturers with guidance on how to fulfil all the relevant essential requirements of Annex I to the EU MDR and IVDR with regard to cybersecurity”. In particular, within the EU MDR and cybersecurity contexts, manufacturers must be aware about “the rights of the subject to physical and mental integrity, to privacy and to the protection of the data concerning him or her in accordance with Directive 95/46/EC are safeguarded”.
Briefly discovering the land of this regulation’s interaction, it is indisputable that EU GDPR increased the need of transparency and accountability requiring additional efforts from Organizations. This is particularly demanding with regard to Medical Devices manufacturers that usually collect and process health data as main purpose and objectives of their activities.
In this perspective the support of MDCG 2019-16 Guidance is essential, since the Cybersecurity Annex deal with both premarket and post-market aspects providing guidelines in terms of i risk management, IT security, unauthorized access, and general data protection.
Based on the above scenario is evident that the main objective is to guarantee the highest level of data protection in fulfilling the EU MDR obligations, so that Manufacturers must comply not only with the CE-device market Regulation but also with the data subject protection provisions. The contracts alignment as well as the internal policy & procedures updates and follow up are the most relevant tools to operate in a “safe” zone. In most cases the adoption of a Quality Management System (QMS) is distinctive, since allows to achieve enterprise-wide quality and regulatory compliance.
Ultimately, the check & balance between the two Regulations is really challenging however is unavoidable considering the coexistence of regulatory compliance and privacy needs; the critical issues connected to the different legislation’s interactions can be overcome only reinforcing the Organizations procedures through the objective’s homogenization and the improvement of internal multidisciplinary legal evaluations.
The harmonization models are constantly evolving while the purpose is always the same: creating common standards to enable manufacturers to fulfill any obligation in compliance with the multiple regulations. It allows to improve the CE-device market preserving at the same time the essence of data protection obligation as fundamental right .