The EU General Data Protection Regulation must be complied with starting at 25 May 2018, at the latest.
Many companies, amongst them also medical device manufacturer and operators such as hospitals, are not adequately prepared.
This article gives you a review of the main concepts and requirements of the General Data Protection Regulation and examines aspects relevant to medical devices.
1. Objectives of the General Data Protection Regulation
On 14 April 2016, the EU Parliament adopted the EU General Data Protection Regulation. Companies must comply with this regulation starting 25 Mai 2018, without any additional transitioning period.
a) Objective 1: Harmonized data protection law throughout Europe
One aim of the regulation is to replace the fragmented, national data protection law by uniform, pan-European standards. Consequently, the Federal Data Protection Act BDSG had to be revised to a great extent. This was done. It becomes effective on 25 May 2018, at the same date as the GDPR.
b) Objective 2: Strengthen data protection
With the General Data Protection Regulation, the EU Commission intents to create the legal basis for an increasingly digitalized society. For this, requirements for privacy are strengthened substantially and severe fines are imposed on infringements – up to 4% of revenues (not profit!) or 20m EUR – illustrate how serious the Commission is about privacy.
The amount of the fine depends on factors such as
- nature and amount of the data affected by the data breach,
- company’s willingness to cooperate with authorities,
- protective measures put in place by the company,
- as well as the respective history of the company, and
- time needed by the company to inform authorities and affected persons.
c) Objective 3: Strengthen further rights of citizens
General Data Protection Regulation not only intends to strengthen privacy, but also rights of citizens going beyond data protection. Those rights include, inter alia:
- citizens may transmit personal data
- they may ask to view their data
- they must be informed about the purpose of data processing
- they are granted the right to demand incorrect data to be corrected and, in general, to demand all data to be erased
Fundamentals of the General Data Protection Regulation
a) Scope
No limitations regarding size or industry
All natural and legal persons (usually companies) processing personal data must comply with the General Data Protection Regulation. The regulation applies to all sectors and sizes of companies.
Not limited to automatic and electronic data processing
It is further negligible if data is processed automatically or manually. GDPR is not even restricted to electronic data. Even though a “filing system” is mentioned, the term is defined to mean “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis“.
Geographical focus
All companies which process personal data “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” must apply the GDPR (Fig. 1).
Companies processing personal data of European citizens or residents must obey the GDPR, even if they are established outside of the EU (Fig. 2). With this, the EU had certainly also kept an eye on companies such as Facebook and Google.
Exceptions
The General Data Protection Regulation only grants exceptions if data is processed in the course of a purely personal activity or if the processing is carried out for the purposes of national security and criminal prosecution.
b) Personal data
Personal data is defined by the General Data Protection Regulation as any information relating to an identified or identifiable natural person.
Definition by the GDPR
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Source: GDPR
Examples of personal data
Examples of personal data are: name, abode, identification number, IP address of visited websites, and data on physical, physiological, genetic, mental, economic, cultural or social concerns.
Hence, personal data is not at all limited to data needed to identify a person (see Fig. 3). If the data did not comprise any date which by itself or in combination with other (external) data allowed for identification, the data would not be personal.
“Special categories” of personal data
GDPR classifies data as requiring particular protection if it is suited to reveal
- “racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs, or
- trade union membership”, as well as
- “genetic data
- biometric data for the purpose of uniquely identifying a natural person,
- data concerning health or
- data concerning a natural person’s sex life or sexual orientation”.
c) Fundamentals and principles
Ban with permit reservation
In general, processing of personal data is prohibited, unless certain conditions are fulfilled and at least one of the following stipulations is met:
- the data subject has consented (for a specific purpose)
- processing is necessary for the performance of a contract to which the data subject is party
- processing is necessary for compliance with a legal obligation
- processing is necessary in order to protect the vital interests of the data subject or of another natural person (e.g., contagious disease)
Commercial interests
GDPR also considers commercial interests and promotes free movement of data within Europe.
Further principles
Further principles (besides, e.g., consent obligation and transparency) are:
- data minimisation
- earmarking
- accuracy
- (temporal) “memory limitation”
- accountability
- integrity and confidentiality
Privacy by Design and Privacy by Default
“Privacy by Design” refers to a product’s or technology’s characteristic that the principles of privacy were taken into account at the time of its development and constructing. The product may, for instance, erase data of individual persons affected, or it may pseudonymize the data even before it is stored.
“Privacy by Default” means that a product’s or technology’s highest privacy settings are activated right from the beginning. Applied to a website, this would mean that, for example, “personal cookies” are deactivated and may only be used on the condition of consent.
3. Roles
The General Data Protection Regulation stipulates several roles:
- For one, the data subject, i.e., the individual resident in the EU
- Secondly, the natural or legal person which is responsible for data processing (“controller“)
- Next the natural or legal person which processes data on behalf of the controller (“processor“)
- And national supervisory authorities
- Finally, the data protection officer
a) Person controlling data processing
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Source: GDPR
Examples of controllers are employers, hospitals and companies offering products and services via their website.
b) Processor
“a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
Source: GDPR
Classic examples of processors are computer centers, and providers of cloud services or software as a service.
Companies such as Google or Amazon can take on two roles: They can act as controllers when offering services directly to individuals (e.g., Gmail) and as processors when storing data on behalf of a company, e.g., when a controller uses Amazon Webservice.
c) Data subject
All individuals resident in the EU can be a “data subject”, for instance in their role as employee, patient and customer.
d) Data protection officer
GDPR usually requires controllers and processors to designate a data protection officer. Read more on the officer’s responsibilities, rights and duties, as well as exemption clauses below.
4. GDPR: Rights and Duties
On 88 pages, the General Data Protection Regulation lays down rights and duties of the mentioned roles.
Here, you can find the General Data Protection Regulation.
a) Subjects
The data subjects have the following rights:
- they may request copies of their data in a machine-readable format which is suited for further processing
- Subjects have the right to transmit those data to another controller
- They are further free to demand the erasure of their data on the condition that there are no overriding legitimate grounds
- Subjects may also call for rectification of their data
However, only the data provided by the subject fall within the scope of those rights; data derived from the provided data is not included. For instance, citizens may claim erasure of data concerning is income, name or residence from the Schufa, but not erasure of the Schufa score calculated from those data. Nevertheless, the controller must expose that the calculations were performed and must provide information of the “logic involved, as well as the significance and the envisaged consequences of such processing for the data subject”.
The data subject is appertained to a prompt reaction, normally 30 days. There are restrictions, though. For instance, if a company as many or very complex requests.
b) Companies controlling data processing
The following list presents only an excerpt of the requirements for “controllers”:
- Granting subjects the rights mentioned above
Controllers must grant the subjects the above-mentioned rights and, for example, provide information on which data are stored for which purpose and for how long. - Organisational and technical protection measures
They must provide appropriate (state of the art) protection of data. Pseudonymisation can be one approach. - Communication of an incident
In case of an incident, the respective data subject (without undue delay) and the authorities (within 72 hours) are to be informed. - Contract with processors
If you commission another natural or legal person to process data, you have to enter into a contract with that person. - Data protection officer
For companies with 10 or more employees, data protection officers are obligatory. This is, however, not stipulated by the General Data Protection Regulation, but by the revised BDSG.
c) Companies processing data on behalf of a controller
Just as controllers, processors must implement all appropriate technical and organisational measures to ensure data protection. The same applies to the data protection officer.
Subcontracting is only permitted with the controller’s approval.
They must comply with the controller’s instructions.
Click here to read the GDPR’s source text on the website of the EU.
5. Consequences
a) Consequences for operators
Operators such as hospitals take on the role of “controllers” and must meet the respective legal requirements. To meet them, the following tasks are probably waiting to be dealt with:
- identification of stored data; clarification of intended purpose
- identification of processes and systems for data processing
- evaluation and establishment of security of information technology
- evaluation and establishment of conformity of data processing (also includes websites)
- evaluation and preparation of contracts with processors
- improvement and preparation of data protection declarations
- appointment of a data protection officer
- improvement or installation of process instructions (e.g. responding to emergencies)
- installation of complaint management (website, staff, processes, systems)
- training of employees
b) Consequences for manufacturers
Besides, consequences for manufacturers regarding designing devices and processes emerge. They must, inter alia, meet the system requirements:
- specific erasure of individual person’s / patient’s datasets
- export of datasets in a processible format, e.g., XML, if neccessary with explanations
- ensure the devices’ IT security. This includes the capability of importing or removing patches and updates at short notice
- training of employees (e.g., developers)
- amending process instructions concerning data protection and IT security, e.g. process instructions for development, support, decommissioning, post-market surveillance, risk management
The requirements of “Privacy by Design” and “Privacy by Default” explicitly address manufacturers, too.
Further, manufacturers shall comply with the requirements for IT security which constitute a prerequisite for data protection. Comprehensive requirements for (IT security of) devices stem from various standards such as the UL 2900 family of standards and the FDA Cybersecurity Guidances. We compiled an overview of those requirements which you can access using the Medical Device University.
Don’t leave the safety of your patients to chance. Play it safe with a Johner Institute pentest!
You can find more info here.
Conclusion
For one, the EU GDPR has remarkably raised the bar. Everyone processing personal data is allowed to do so only if the data subject has given his or her consent (or if other provisions permit to do so).
On the other hand, controllers are given the chance to attain legal conformity, e.g., by making use of pseudonymisation and by creating transparency.
Nevertheless: The demands on technology, information, documentation, and evidence are immense.
There is in particular the risk that a new influx of warnings will descent upon companies. In the light of this, and of the horrendous fines, urgent priority should be given to implementing the EU General Data Protection Regulation by manufacturers and operators.
The future will show if the General Data Protection Regulation has succeeded in balancing interests of companies and individuals and in circumventing a bureaucratic monster.