What You Need to Know About GDPR

Feb 13, 2019 | News

If you’re a medical device manufacturer planning do to business with the European Union you need to know about the regulatory change that took place in May 2018 that could have operational process and financial implications for your business.

The new General Data Protection Regulation (GDPR) contains both existing and new data privacy requirements that, if not met, can result in significant fines of up to 20 million Euro or four percent of annual turnover. Maintaining compliance is required of organizations as well as relevant vendors and partners and is critically important to ensuring that organizational IT ecosystems are doing all they can to help customers protect individual rights and freedoms.

One of the newest requirements is the need to respond to a data breach or loss within 72 hours and provide a full report of the event or incident that includes details such as how many individuals were affected and the type of data compromised. Consequences of the breach must also be reported, based on the disclosure of what the organization believes happened based on evidence, potential implications, as well as measures taken and that will be taken to mitigate the risks that were identified within the breach disclosure report.

To adequately respond to the change in regulations as a result of GDPR implementation, medical device firms should ensure that employees are well-trained at bringing issues to the attention of management. This can affect employees throughout your organization, from ground-level staff, who need to know what personal data is and how to manage it, to the triage and incident response (IR) teams, who will need to be involved for issues that need immediate resolution. It would also be advisable to work with an experienced medical device consulting firm, especially one that specializes in medical regulatory consulting.

Central to how you handle data and protect it from illegal access is how you gather that data in the first place. If your firm is going to collect personally identifiable information (PII) you must be sure to receive customer consent before you track it and your collection process must follow US HIPAA regulation. If at any time the customer requests to stop being tracked, your company must stop and purge that customer’s information from your files.

As organizations adopt data breach and data security and privacy regulations across the globe, a primary concern is how to develop standard processes to address individual sets of requirements. One approach that can help bootstrap process development is to create a basic set of data

protection principles consisting of principles and FAQs that cover a number of practice pointers to help drive home key concepts to employees using standardized terminology. A broader, integrated approach to training and process development will help standardize responses to a wide range of regulatory issues stemming from GDPR, HIPAA, EU-US Privacy Shield, etc.

When it comes to data protection, the ideal situation is no situation at all. That means avoiding being breached, but if and when it happens, being prepared with a strong foundation will serve well in helping assess, remediate, and respond quickly and appropriately.

For more information about developing and implementing regulatory strategies, please contact the medical regulatory consulting specialists here at MEDIcept.