Get Connected Blog | Nordic Semiconductor

EU GDPR: Privacy for connected medical devices

Written by Thomas Søderholm | November 15, 2017

The impact of upcoming EU regulations on anyone who processes health data is huge. Here’s what medical IoT device manufacturers need to know about GDPR.

Connected devices have the potential to transform almost every aspect of medical care. Developments such as automation, enhanced monitoring and analytics, and increased patient safety promise major benefits to the healthcare industry.

But there is an ever-growing amount of data tied to individuals, and this is only set to accelerate as the scope of connected medical devices grows. With corporate cyber-attacks becoming more sophisticated and data leaks from the likes of Yahoo and Ashley Madison having a direct impact on customers, an individual may start to feel more protective over their personal health data.

The European Union has moved to introduce a significant new regulation. Although announced in 2016, the EU General Data Protection Regulation (EU) comes into force from May 2018. Are you ready?

The GDPR explained

The EU GDRP (2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the EU. It does not require individual governments to pass any legislation, so it is automatically applicable across all member states.

If your company is based in America or Asia and you think you don’t have to worry about the regulations, think again, as it also addresses the export of personal data outside the EU. Much like the recent changes to EU VAT law, it affects any company that does business with, or has customers in, the EU member states.

What this means for connected medical devices

It has been discussed for some time now whether IoT devices do enough to meet existing data protection regulations. The GDPR strengthens these existing requirements in relation to data subject consent.

The regulations make it clear that consent cannot be assumed, and that consent should not be regarded as freely given if the data subject has no free choice, or is unable to refuse consent without a negative impact.

In addition, the concept of grandfathering will not apply. This means many existing systems will have to be adapted to ensure compliance.

What data falls under the legislation

The GDPR introduced an expanded definition of what is meant by ‘health data’. The scope includes:

  • All data relating to the past, present and future physical or mental health status of the subject
  • Information collected during registration
  • A number or other piece of data assigned to a person to uniquely identify their health data
  • Information from testing or examination
  • Information on a disease, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical state of the subject

In addition, consent must be specific, informed, freely given and must be positively given, rather than assumed or via an opt-out condition. Explicit consent must be given for special categories of data including race, ethnicity, religion, or sexual orientation.

In addition to the GDPR, EU member states have the option of introducing their own conditions about the management and processing of genetic data and biometric data. This is definitely something to keep an eye on.

Privacy Impact Assessments

The regulations require all companies that process personal health data to conduct a Privacy Impact Assessment (PIA) prior to the processing. This is a systematic description of the operations and their purpose, including the proportionality and necessity in relation to the purpose. It must also show how you are proactively in compliance with the GDPR, taking into account the rights and interests of the subjects.

Privacy by design and privacy by default are concepts which exist in current data protection legislation, but the GDPR will put these concepts on a firm legislative footing. Data controllers will be obliged to prove their compliance.

> Read more: Security of connected medical devices

Children’s data

The GDPR will make it impossible for children under the age of 13 to give consent about their own data, when it comes to online services. The situation for children under 16 will be decided by each member state.

The potential for connected medical devices to improve the lives and outcomes of patients is huge if security and privacy are dealt with appropriately. While the EU GDPR is seen as a roadblock by some in the industry, connected medical devices should be more secure and more private as a result.

If you are involved in the medical device industry, taking legal advice on your processes and procedures is an absolute must.