Call Us Today at 508-231-8842        EMERGENCY

If you’re a medical device manufacturer planning do to business with the European Union you need to know about the regulatory change that took place in May 2018 that could have operational process and financial implications for your business.

The new General Data Protection Regulation (GDPR) contains both existing and new data privacy requirements that, if not met, can result in significant fines of up to 20 million Euro or four percent of annual turnover. Maintaining compliance is required of organizations as well as relevant vendors and partners and is critically important to ensuring that organizational IT ecosystems are doing all they can to help customers protect individual rights and freedoms.

One of the newest requirements is the need to respond to a data breach or loss within 72 hours and provide a full report of the event or incident that includes details such as how many individuals were affected and the type of data compromised. Consequences of the breach must also be reported, based on the disclosure of what the organization believes happened based on evidence, potential implications, as well as measures taken and that will be taken to mitigate the risks that were identified within the breach disclosure report.

To adequately respond to the change in regulations as a result of GDPR implementation, medical device firms should ensure that employees are well-trained at bringing issues to the attention of management. This can affect employees throughout your organization, from ground-level staff, who need to know what personal data is and how to manage it, to the triage and incident response (IR) teams, who will need to be involved for issues that need immediate resolution. It would also be advisable to work with an experienced medical device consulting firm, especially one that specializes in medical regulatory consulting.

Central to how you handle data and protect it from illegal access is how you gather that data in the first place. If your firm is going to collect personally identifiable information (PII) you must be sure to receive customer consent before you track it and your collection process must follow US HIPAA regulation. If at any time the customer requests to stop being tracked, your company must stop and purge that customer’s information from your files.

As organizations adopt data breach and data security and privacy regulations across the globe, a primary concern is how to develop standard processes to address individual sets of requirements. One approach that can help bootstrap process development is to create a basic set of data

protection principles consisting of principles and FAQs that cover a number of practice pointers to help drive home key concepts to employees using standardized terminology. A broader, integrated approach to training and process development will help standardize responses to a wide range of regulatory issues stemming from GDPR, HIPAA, EU-US Privacy Shield, etc.

When it comes to data protection, the ideal situation is no situation at all. That means avoiding being breached, but if and when it happens, being prepared with a strong foundation will serve well in helping assess, remediate, and respond quickly and appropriately.

For more information about developing and implementing regulatory strategies, please contact the medical regulatory consulting specialists here at MEDIcept.

Sign up to receive our Newsletters!

The Latest News

Quality Systems in Motion, Inc. (QSIM) is now part of MEDIcept Inc.

For Immediate Release Ashland, MA: MEDIcept Inc, an international quality, regulatory, and clinical consulting firm focused on medical device and in-vitro diagnostics (IVD), and QSIM, a US-based privately held consulting firm specializing in medical device/biotechnology, announces the merger of the two companies. QSIM, under the direction of Brian Markham, President, specialized in providing leadership and resources for organizations undergoing significant quality system change due to...

Medical Device Risk Management: An ISO14971 Update

In 2000, the first edition of ISO 14971 was released as the international standard for risk management of medical devices. This year, the ISO technical committee (ISO/TC 210) has been hard at work updating this globally-recognized standard. And while the fundamental stages of the risk management process remain unchanged, there are some key modifications that medical device manufacturers should be aware of to ensure that they can successfully navigate the development, testing, and launching of...

Europe’s New Medical Devices Regulation: Ready or Not, Here It Comes

For the past 30 years, the European Union’s medical device market has been regulated by the Medical Devices Directive (MDD). The rapid development of hybrid technologies, tensions between EU member states, and highly bureaucratic procedures for resolving disputes made the text of the Medical Devices Directives seem obsolete much earlier than anticipated. As a result, the European Commission authorized the development of a new set of industry requirements known as the Medical Devices Regulation...