What is the GDPR (General Data Protection Regulation)?

The General Data Protection Regulation (GDPR) seeks to protect the rights and personal data of individuals in the European Union (EU) and across the European Economic Area (EEA). The GDPR replaces the previous 1995 Data Protection Directive.

It came into effect on 25th May 2018. The regulation also addresses the transfer of personal data from the EU and EEA areas.

Importantly, the GDPR is not only restricted to EU-based companies. If you hold or process the personal data of EU residents, the GDPR applies to you - even if you are not based in the EU.

Equally, whilst the UK is no longer a member of the EU, the GDPR has been incorporated into UK data protection law as the UK GDPR. This maintains the core data protection principles, rights and obligations of EU GDPR.

Why was the General Data Protection Regulation (GDPR) needed?

The General Data Protection Regulation (GDPR) was created following a need for updated data privacy and processing policies. Since the DPD came into effect in 1995, we have seen countless technological advancements, including the rise of software as a medical device (SaMD). The DPD was not written with these new advancements in mind, hence there was a needed for modernised regulations.

The GDPR also aims to harmonise and modernise data privacy and processing policies across the EU, and make it easier for data subjects to understand how their data is used, thus giving them more control over their personal data.

How does the GDPR differ from the previous Data Protection Directive?

Since the Data Protection Directive came into force in 1995, there have been numerous advancements in terms of technology and communications. With these developments comes the need for updated regulations, as the former Data Protection Directive (DPD) was not created with these new developments in mind. 

In addition to the GDPR being considerably more detailed than the DPD, there are also a number of other notable differences, including:

1. Definition of personal data

Compared to the definition used in the DPD, the definition of ‘personal data’ is much more extensive under the GDPR. The definition used in the DPD defines personal data as any information related to an identified or identifiable person or data subject. This includes information such as names, addresses, email addresses, bank details, and social security information. 

The GDPR, however, extends the definition to: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier”

These ‘identifiers’ not only include the examples given in the DPD, but adds many new personal data forms to the definition of personal data, including IP addresses, biometric data such as fingerprints, medical records, mobile device identifiers, and any other information related to social or cultural identity.

2. Control over personal data

Opt-in requirements

The GDPR introduces new opt-in and consent requirements that give individuals more rights and control over their personal data. For any processing of personal data, individuals must explicitly “opt-in”. Individuals must also give consent for the processing of their personal data, and this consent must be informed, specific, and unambiguous.

The right to be forgotten

Under the GDPR, individuals also have the “right to be forgotten”. This means that an individual can request that an organisation erases their personal data, cease to use it, and stop any third parties from using it. Individuals also have the right to access their data at any time, and to ask where their data is being used, and for what purpose. This information needs to be available in an electronic format, and be available free of charge.

3. Data Controllers and Data Processors

Accountability

The DPD and GDPR have different rules about who is accountable for any mishandling of personal data. Under the DPD, only data controllers were held accountable. Under GDPR, both data controllers and data processors are held jointly accountable for both mishandling of data and complying to rules. Data processors must also have a contract with data controllers for the processing of personal data, and the data processor is specifically responsible for the security of said personal data.

Appointment of a Data Protection Officer (DPO)

Under the GDPR, the data controller or data processor must appoint a data protection officer (DPO). The DPO serves as the point of contact for any enquires about the collection and processing of personal data.

You can read more about DPOs here.

4. Additional responsibilities for organisations

Privacy by design

Under the GDPR, organisations have increased responsibilities in terms of ensuring the security of personal data. The privacy of personal data must be considered at every stage of business development and operations, and especially at the first inception of the product idea. This is known as ‘privacy by design’.

Impact assessments

Under the GDPR, it is necessary to conduct impact assessments. Impact assessments must be conducted for any automated data processing activities, large-scale processing of certain types of personal data, and systematic monitoring of publicly available areas on a large scale.

5. Protocols for data breaches

Compared to the DPD, the GDPR has much more stringent requirements for data breaches and penalties. The GDPR requires that organisations report instances of a data breach within 72 hours, and that all affected data subjects and the relevant supervisory authority are informed.

Streamlined data breach protocols across the EU

Under the DPD, EU member states were allowed to decide their own different protocols for data breaches. However, under the GDPR, this protocol is now standardised across all EU countries.The penalties for data protection violations are also now standardised across all EU countries, whereas under the DPD, the member states were able to decide the amount of the penalties themselves.

6. The extense of the GDPR

And last but not least, the GDPR is significantly more extensive than the DPD. For instance, under the GDPR, if an organisation collects or processes the data of EU subjects, it has to comply with the GDPR, even if they do not have a physical presence in the EU.

The GDPR also encompasses certain personal data types that were not accounted for in the DPD, such as IP addresses.

Who needs to comply with GDPR?

The GDPR applies to:

• Companies or entities which process personal data as part of the activities of one of its branches established in the EU.
• Companies established outside of the EU that process the personal data of EU subjects
  

The 7 principles of GDPR

The GDPR has seven key data protection principles. These provide the fundamental building blocks for good data protection practice, and are key to your compliance with the MDR.

These 7 principles are:

1. Lawfulness, fairness and transparency

Requiring that you process personal data lawfully, based on the purpose you have communicated to the individual.

2. Purpose limitation

You need to collect personal data for specified, explicit, and legitimate purposes only.

3. Data minimisation

That you should only collect, store, process, and use information that is necessary to provide the required service.

4. Accuracy

That you ensure the data is true and correct, and be able to correct any inaccurate data in a timely manner.

5. Storage limitation

That you do not hold data for longer than is necessary, and have the capability to delete data if requested.

6. Integrity and confidentiality

That you have appropriate technical and organisational measures in place to ensure data security.

7. Accountability

That you are responsible for ensuring you comply with the principles of the GDPR, and are able to demonstrate your compliance if necessary.

What does the GDPR mean for your medical device solution?

GDPR and health data

As medical devices collect personal data, and often ‘high-risk’ personal health data, it is absolutely essential that they are GDPR-compliant.

GDPR in healthcare

Under the GDPR, when collecting and processing healthcare information and data, it is essential that the consent is given by the data subject. This consent must be clear, explicit, and informed. In order for informed consent to be given, data subjects need to be suitably informed about how their information will be used. Thus any consent forms must be written in clear, plain language which can be easily understood. Under article 7 of the GDPR, it states explicitly that data subjects need to be aware of how their data will be used. 

GDPR and the MDR (Medical Device Regulation)

Following the introduction of the MDR (Medical Device Regulation) in the EU as of 21st May 2021, many health apps are now considered medical devices. For example, if a wearable device incorporates software that analyses data and makes clinical recommendations, this is now considered to be a medical device under the MDR, and is therefore subject to MDR regulations.

Additionally, if you app falls under the MDR, and collects personal data, it also falls under the GDPR. Thus, GDPR compliance is a prerequisite for MDR compliance.

To learn more about the MDR, read our summary in the MDR here.

GDPR and health apps

On 10th April 2014, The European Commission published a Green Paper on mobile health. This subsequently launched a public consultation, which was open until 10th July 2014. What this consultation revealed is that people often do not trust mobile health apps due to privacy concerns.

The proposed solution? A privacy code of conduct on mobile health apps

After seeing the results of the consultation, the European Commission decided to encourage mobile health industry stakeholders to create a privacy code of conduct on mobile health apps. The intention was to create more trust around mobile health apps.

Work started on creating this code of conduct in April 2015. Following some suggestions for improvement, the code was formally submitted to the Working Party for approval on 7th December 2017. It was requested for approval under the DPD, which was still in effect at the time. However, when the Working Party published their assessment in April 2018, just one month before the GDPR came into effect, it was determined that the GDPR should be applied to the code. As the code did not address the necessary GDPR requirements, the code was not approved.

So, what happens next?

Currently, the European Commission are actively encourage stakeholders to further develop this code of conduct, with the hope that it will one day be submitted to the European Data Protection Board for approval. 

GDPR and software development

Although not yet finished and approved, the current draft of the code contains some very good guidance for mobile health software developers on the topic of data protection principles. It is definitely a good idea to follow these principles, as the GDPR states that you should take “appropriate technical and organisation measures” for securely handling data. Taking this guidance into account from the very beginning of your software development will make your GDPR-compliance journey a lot smoother.

Here are some examples of the guidance given in this code of conduct:

1. User consent

Explicit consent must be obtained for the processing of personal data. The consent must be free, specific, and informed. If a user withdraws their consent, their data must be deleted.

2. Purpose limitation and data minimisation

Data must only be processed for specific and legitimate purposes, and only data that is strictly necessary for the functioning of the medical app may be processed.

3. Privacy by design and default

Privacy implications must be considered at every stage of software development. Additionally, in instances where the user is given a choice between different options, the default selection should be the least privacy invasive choice. 

4. Data subject rights and information requirements

Users have the right to access their own personal data at any time, and they are allowed to request corrections and object to further processing of their personal data. App developers have a responsibility to provide users with information about how their personal data is processed.

5. Data retention

Data must not be stored for any longer than necessary.

6. Security measures

Both technical and organisational measures need to be put in place to ensure the confidentiality, integrity, and available of any personal data processed. This is also to protect against accidental or unlawful destruction, loss, alteration, disclosure, access, or other unlawful means of processing.

7. Advertising in mobile health apps

Any advertising based on the processing of personal data requires opt-in consent. Advertising that does not rely on processed personal data should use opt-out consent. 

8. Use of personal data for secondary purposes

Any use of personal data for secondary purposes must be compatible to the original purpose. Secondary processing of personal data for scientific research or statistical purposes is considered to be compatible to the original purpose. Any non-compatible purposes will require new consent from the data subject.

9. Disclosing data to third parties for processing

Users must be informed prior to the disclosure of their data to third parties. The app developer also needs to be in a binding legal agreement with any third parties.

10. Data transfers

Any transfers of data outside of the EU/EEA must have a legal guarantee permitting such a transfer, such as an adequacy decision from the European Commission.

11. Protocols for data breaches

Organisations must inform data subjects about any personal data breaches within 72 hours, otherwise they will face penalties. The relevant data protection authority must also be informed.

12. Data gathered from children

For any data collected from children, the strictest data protection approach should be applied, and a process to obtain parental consent must be implemented.

Other organisational measures that can be taken to ensure data security include:

• making sure staff are properly trained on data security measures.
• limiting access to personal data to only the employees who need it.
  

GDPR and ISO 13485

When looking to comply with the GDPR, it is also a good idea to comply with ISO 13485:2016. ISO 13485:2016 is a quality management standard specifically for the design and manufacture of medical devices, and being compliant to it is one of the prerequisites for receiving a CE marking. 

How does being compliant to ISO 13485 help with complying to the GDPR?

Having a good, ISO 13485-compliant Quality Management System (QMS) not only helps ensure that your processes are effective, but it also helps demonstrate product safety and security. This is because it ensures that the design and development of your product is consistent and safe for its intended purpose, and this includes the processing of personal data.

GDPR and ISO 27701

When adhering to the GDPR, ISO 27701 is one of the most important standards to have under your belt, as it sets out guidance on the appropriate technical and organisational measures to meet the requirements of the GDPR.

You can find out more about ISO 27701 here.