Kari Miller, Regulatory and Product Management Leader, Pilgrim Quality Solutions, an IQVIA company
The EU Medical Device Regulation (MDR), which went into effect in May 2017, is a complex and demanding regulation. In May of 2018, we were all introduced to the data protection requirements of the EU General Data Protection Regulation (GDPR). In the first part of this 2-part blog series, Finding the Balance, we examined key areas of EU MDR that need to be viewed through an EU GDPR lens. This second installment takes on the considerations of how organizations can comply with both regulations.
Every organization’s products and situation will be different, so offering a canned To Do list would not be effective. Each organization needs to work with its legal counsel and security group to determine the right approach for their organization. In Part 1, we outlined the three major categories of GDPR. It’s within these categories that EU MDR and EU GDPR intersect. The five major intersections are:
- Consent Processing
- Data Protection
- Data Subject Rights
- Breach Reporting
- Impact Assessment
Consent processing is not new to clinical trials, but typically this process does not exist for Complaints Handling, Safety and Vigilance Reporting, and QMS processes in general. In many cases, it isn’t feasible to get consent as reporters are often not the data subjects. GDPR special provision Recital 33 states:
“It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”
This process, combined with public interest, should be reviewed in the context of your organization’s situation. Note that these factors, however, will not override the data subjects’ right to the protection of their personal data.
If you have electronic systems supporting your processes for Complaints, Vigilance and Safety Reporting, Post-Market Surveillance, or QMS, in the cloud (clouds are not exempt) or on premise, work with your organization to validate that physical facilities have secured access, and that all systems have proper authentication (no generic user IDs), data validation (protect against cross scripting and SQL injections), and data encryption at rest and in motion. This should include your xml complaint reporting file.
Investigate your organization’s understanding of Data Protection by Design, collect only required data, and pseudonymise (anonymize) as much as possible to prevent individual identification.
Data Subject Rights
It is important to remember that patient data isn’t the only data in your systems and often personal data exists in unstructured narratives, as is often the case for safety information. When feasible, redact data before triage, then encrypt and store the original copy separately.
Audit Trails should exist for all activities involving personal data, to allow for the substantiation of the use of data subject information. Clearly identify and document the lawful basis for your organization’s collection of data subjects’ personal data.
Review your procedures to ensure they cover all individual rights including how to “forget” or transfer data electronically for the data subject, and be sure you have procedures in place to handle access requests from data subject requests.
Ensure the organization understands the personal data that exists in your Complaints, Vigilance and Safety, Post-Market reporting, and QMS systems, and validate that proper procedures are in place to detect, report, and investigate personal data breaches.
Whether your organization outsources its Complaint Handling and Safety and Vigilance activities, or they’re performed in-house, be sure to perform data privacy impact assessments, putting in place safeguards for any identified risks. In the case of outsourcing, the use of legal instruments such as non-disclosures and data processing agreements can be important tools in achieving EU GDPR compliance. Finally, all personnel handling personal data should be trained on GDPR compliance requirements; this applies to internal personnel, contractors, and outsourcers.
Managing It All
If your organization is conducting business in the EU, there’s an unprecedented level of regulatory change to be considered and managed. EU MDR requires organizations to collect and process data for Adverse Events, Safety and Vigilance, and Post-market Reporting. This reporting requires the collection of personal data per the EU GDPR definition. Therefore, if the data subject resides in the EU, GDPR compliance is a must. Your organization is required to protect the personal data of EU citizens.
So how do you manage both? Follow these guidelines to safeguard your organization’s compliance:
- Use for purpose only
- Deploy data protection standards
- Ensure procedures are updated to reflect GDPR reporting and security breach detection requirements
- Train all personnel handling personal data on GDPR requirements
For Life Sciences companies, your organization’s Quality Management Solution (QMS) is used to achieve enterprise-wide quality and regulatory compliance. Each organization must determine what policies and procedures need to be put into place to achieve EU GDPR compliance. Then your organization needs to use your QMS in a manner that is consistent with those policies and procedures, balancing the needs of regulatory compliance and the privacy called for by EU GDPR. Pilgrim Quality Solutions is here to help. Don’t wait to call us.
The Balancing Act between Regulatory Requirements
This video provides insight on the critical consideration for implementing regulations within your organization.