Kari Miller, Regulatory and Product Management Leader, Pilgrim Quality Solutions, an IQVIA company
Meeting the reporting and legal requirements of regulations, such as the EU Medical Device Regulation (MDR) and the recently mandated EU General Data Protection Regulation (GDPR), can be a daunting task. An initial review of both regulations brings forth seemingly clashing requirements. In fact, the balancing act that needs to occur within an organization to comply with both is a delicate one.
This is the first of two blogs that will look at the components of EU MDR and EU GDPR. I will address the potential impact of EU GDPR on EU MDR, with a particular focus on Complaints processing and Vigilance and Safety Reporting. In part two, I’ll outline the areas where these two EU-based regulations intersect.
EU MDR Overview
The EU Medical Device Regulation (MDR), which went into effect on the May 25, 2017 (there is a three year transition period), is not a trivial regulation. With 10 chapters of 123 Article and 17 Annexes, it’s not feasible to cover the regulation in its entirety. However, there are several areas of EU MDR that need to be viewed through an EU GDPR lens. They include: Scope Expansion, Post Market Surveillance, Increased Transparency, Clinical Data Requirements, and Safety and Performance Requirements.
The scope expansion of EU MDR includes traditionally non-medical devices or those with no intended medical purpose. Post-market surveillance requires periodic updates to ensure that manufacturers are monitoring their devices once on the market, and post-market clinical follow up is required as well. As major components of the Eudamed database (where Adverse Events, post-market surveillance and other summaries are posted) are available to patients, healthcare professionals, and the public, the increased transparency of EU MDR is in clear contrast with the EU GDPR’s data protection principles. Under EU MDR, clinical data requirements, as well as safety and performance requirements, have increased.
The bottom line regarding EU MDR is that with the expanded medical device classifications, reporting volumes will increase due to the expansion of devices that are included in reporting. The sheer volume of required data is going to increase as well becauses the data being requested is expanding. For instance, consider that the updated version of the Manufacturers Information Report (MIR), a component of the upcoming MEDDEV 12.2-1 V9, contains significantly more fields than its prior version. What all this means is that the collection and transmission of personal data will increase, not decrease, and the protection of EU citizens’ personal data is what EU GDPR is all about.
EU GDPR Overview
The General Data Protection Regulation (“GDPR” or “Regulation”), approved by the European Parliament and Council in April 2016, went into effect on May 25, 2018 and replaces the Data Protection Directive 95/46/ec. It is the primary regulation intended to protect all European Union (EU) data subjects from privacy and data breaches in a world driven by data. It lays out the rules regarding the protection of natural persons and the processing or movement of their personal data. And, it protects their fundamental rights and freedoms regarding the protection of their personal data. Whether your organization is located in the EU or not, if you process personal data of EU citizens, this regulation applies to your organization.
EU GDPR is a daunting regulation as well, with 99 articles and 173 recitals, so it’s no wonder it has received a lot of attention. It has strong impact on IT management of personal data, especially with regard to data encryption, security, auditing of technology-enabled processes, and access management. In the manufacturing world, the cost of non-compliance is high, and in the case of GDPR, it is very high indeed.
- Violations of Record Keeping, Security, Breach Notification, and Privacy Impact Assessments Regulators will have the Authority to Issue Penalties Equal to the Greater of $10M Euro or 2% of the Entity’s Global Gross revenue
- Violations related to legal justification for processing (see examples) may result in penalties of the Greater of $20M Euro or 4% of the Entity’s Global Gross Revenue:
- Data subject rights
- Cross boarder data transfers
The Three Major Categories of GDPR
Though the volume of the regulation’s specifics may be daunting, GDPR can be broken down into three major categories for application: Data Subject Rights, Controller and Processor Responsibilities, and Transfer of Personal Data.
1. Rights of Data Subjects
It begins with the rights of data subjects. Consent for the use of personal data can no longer be passive — it must be freely given, and the purpose of the consent (use of their personal data) must be clear and distinguished from other matters. It also must be demonstrable and easy to withdraw. Data subjects have the right to receive a copy of their data, and understand the type of personal data being collected, as well as the purpose of the collection of their data. They also have the right to know who’s receiving their data as well as how long their data will be retained. Additionally, they have the right to restrict the processing of their data and the right to be forgotten, completely.
Even when data is processed for scientific or historical research, or statistical purposes, the data subject has the right to object; it will be up to the controllers of the data to demonstrate the legitimacy of their need to process the data subject’s data. The regulation also provides the data subjects with the right not to be subject to a decision based on automated processing inclusive of decisions that might result in discrimination. Further guidance in this area is going to be required in regards to clinical trials and post- market surveillance.
Finally, data subjects have the right to be notified if a breach of security has occurred leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that’s been transmitted, stored, or otherwise processed.
2. Controller and Processor Responsibilities
It is the responsibility of Controllers (those determining the purpose and means of the processing of personal data) and Processors (those which process the personal data on behalf of the controller) to ensure they are compliant with EU GDPR requirements. This includes performing data protection impact assessments, ensuring data security through Pseudonymisation (anonymizing and minimizing the ability to individually identify the data subject) and encryption. They are to ensure data security by design and policy and they are to keep records of compliance. As mentioned above, they are to send notification of data breaches should they occur to both Supervisory Authorities as well as data subjects, and they are to have a Data Protection Officer.
3. Transfer of Personal Data
When the transfer of personal data is required, and if the transfer occurs to a third country or to an international organization where the Commission has determined that an adequate level of protection exists, no special authorization is required (Article 45). In the absence of the aforementioned, organizations may transfer data to a third country or an international organization if the controller or processor has provided appropriate safeguards and data subject rights are enforceable (Article 46). There are exemptions for both of the aforementioned. For example, the data subject may consent to the transfer; the transfer is required contractually between the data subject and the controller; the transfer is necessary for reasons of public interest; the exercise or defense of legal claims; the protection of the data subject or other persons; and, if the transfer is made from a register intended to provide information to the public and is open to consultation (Article 49).
Next week, in Part 2 of this blog, Finding the Balance, we’ll examine the five major intersections where EU MDR and EU GDPR intersect.
SmartSolve Complaint Management
SmartSolve Complaint Management helps you streamline complaint and regulatory reporting management.