The makers of connected medical devices had better sit up and take note of the European Union’s incoming General Data Protection Regulation (GDPR), as it has major implications for their sector.
The basis of the impact comes from Article 9 of the GDPR, which will be enforced from 25 May next year. This article prohibits the processing of personal health data with a limited set of exceptions.
For clinical IoT firms, the most important exemptions apply where the data subject has given consent, where the processing is “necessary for reasons of public interest in the area of public health”, and where it’s needed for research, diagnosis or treatment.
That may sound like it clears the way for all clinical IoT, but life isn’t quite so simple, as the GDPR is very strict about purpose limitation.
“If you’re looking at a health data scenario, a lot of companies rely on physicians in order to get consent for the use of their particular service or device,” says Erik Vollebregt, the founder of Dutch life sciences law firm Axon. “The devices are handed out in hospitals or by GPs. These guys are typically not that good at obtaining consent – they don’t [usually] need to obtain consent because they’re already covered by the treatment exemption.”
“Let’s say I’m a manufacturer or offering a service that can read out blood glucose readers. Is what I’m doing as a data processor covered by the treatment exemption? If it’s not, because I’m doing other stuff with the data [beyond] providing it to the physician for treatment purposes – for example, if I’m training my algorithms or doing some nice aggregation of the data – these are not strictly necessary for treatment. They’re additional purposes, and you need permission.”
Victoria Hordern, counsel at Hogan Lovells in London, agrees. “Unless the clinical IoT device is used because it is necessary for occupational medicine purposes, medical diagnosis, provision of health or treatment or for scientific research purposes, explicit consent will need to be collected from the individual whose data is collected,” she said. “Explicit consent under the GDPR is a very high standard and a number of specific requirements will need to be in place in order for consent to be valid.”
The GDPR also insists that privacy protection is built into IoT devices by design and by default. According to Hordern, this includes mechanisms to ensure that data-sharing is limited to the specific purposes that have been presented to the individual concerned.
“Any additional or secondary purposes for using data collected through clinical IoT should be closely scrutinised and usually not permitted,” she warns, adding: “Organisations will need to design devices or procedures to provide sufficient transparency to individuals and ensure that they can control how the IoT device works.”
The GDPR also says users should be able to take their data over to a rival service provider if they want, in a commonly used format that makes this possible. “Depending how far the competent authority [local privacy regulator] is prepared to go, they might say it has to be directly transferred into another solution,” says Vollebregt. “As a manufacturer, you have to design your systems in a way that the data can be portable.”
Vollebregt warns that the privacy-by-design mandate may spell trouble for device manufacturers who haven’t started the ball rolling yet. “If you look at the design cycle many companies have for the software on their devices, that’s already less than a year to prepare,” he says. “Companies that haven’t started with this now are often already too late.”
Privacy impact assessment
Both lawyers stress the need for companies facing GDPR implementation to start with a privacy impact assessment, as the regulation requires. This is essentially a risk assessment that aims to find weak spots in the company’s compliance with the incoming law, and it may involve talking to various countries’ privacy regulators.
“In some instances, organisations may have to consult with data protection authorities given the sensitivity of data and the probable wide scope for capturing substantial amounts of data,” says Hordern.
To complicate matters further, clinical IoT vendors have more than just the GDPR to bear in mind as they head towards the new regime’s introduction. According to Vollebregt, the EU’s new ePrivacy Regulation, as well as its new twin regulations on medical devices (MDR) and in vitro diagnostic medical devices (IVDR), will also have an effect on the decisions that need to be made.
“They contain rather new requirements with respect to cybersecurity and compatibility, and those rules can impact on your design of your medical device,” he says. “They can also impact on your privacy by design that you do under the GDPR.”
“For example, if you look at the paradigm of security that the medical devices regulations are concerned with, those are mostly about possession or control of the device and continuity of operations and safety of people and assets. On the other hand, the safety thinking in the GDPR is about confidentiality, utility and integrity and authenticity of data. That’s one big ecosystem.”
Because these other regulations have also now entered into force and are in their transitional periods, Vollebregt adds, “if you’re working on your privacy by design compliance under the GDPR, you may also already want to look at what you need to implement under the MDR and IVDR, otherwise you need to do it twice, or you may need to backtrack on things you thought were the right way to approach the GDPR.”
Whichever regulation they’re dealing with, the consequences of shirking responsibilities could be dire for smart medical device manufacturers and their users.
“Under the GDPR, you can get astronomical fines for deliberate non-compliance, and you also don’t want to be non-compliant under the MDR or IVDR,” says Vollebregt. “You don’t want to be the first company in the world that is publicised for ransomware that hijacks its active implants and demand bitcoins to not kill the patient.”