The effects of GDPR on medical devices

With the entry into force of the new regulation for privacy, some specifications for the processing of user data are changing: let's see how.

Written Monday, by Emanuele Mortarotti

Welcome back to the news that the Dispotech team chooses for you each week.

A few days ago, the General Data Protection Regulation came into force - better known by its acronym GDPR, a regulation of EU law that regulates privacy and contents to protect users.

These new rules also affect medical devices which, as we have learned from the many articles we have published previously, often contain sensitive personal data and, for this reason, should be protected against hacking, attacks on servers, etc.

The one regarding consent is the first "trouble" to be dealt with by all those developing a medical device that will have access to sensitive patient data. A patient interacting with a medical device will probably have to give consent to the processing of their personal information, allowing them to know their rights and authorise that which ensues.

Put into practice, it consists of a long list of what cannot be handled without explicit consent: processing of personal data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, union membership, as well as generic, biometric data, concerning health, sexual orientation, is prohibited without owner authorisation.

The basic concept of the GDPR is that a patient's data is no longer a right of the manufacturer, but the right of the user, who decides to entrust it to the device manufacturer. A violation of this concept is punishable by law with severe and even pecuniary sanctions.

If the device is used by doctors, each must make sure that the patient understands and gives consent to the processing of their data which will take place right on the medical equipment. Essentially, whoever controls the patient's data is considered responsible for it; however, data processing on medical devices is covered by the GDPR in any event, whether the subject is an EU citizen or visiting in the EU.

The GDPR is a long and complex regulatory text: to read it in its entirety, you can view it on this link.

Don’t hesitate to contact Dispotech for further information and explanations.

Emanuele Mortarotti
Author Emanuele Mortarotti

Manager

write a comment