Key principles that define GDPR

The European Union’s GDPR outlines key principles that all entities need to address in order to achieve compliance. Your compliance measures must incorporate:

  1. Lawfulness, fairness, and transparency of data processing:
    This requires understanding the regulations. Manufacturers must create a privacy policy that explains what data is being collected and the purpose for collecting that data.
  2. Purpose limitation:
    Personal data should be collected for specific, explicit, and legitimate purposes. Ensure that purpose is clearly stated and for a specific time period.
  3. Data minimization:
    Personal data can only be collected for a relevant and specific purpose. This minimizes the potential for harm in the event of a data breech.
  4. Accuracy of data:
    Any inaccurate personal data should be corrected or deleted. Where necessary, data must be kept up to date. Individuals also have the right to request that incorrect data be corrected.
  5. Retention of data:
    Personal data must be kept in an identifiable format and no longer than necessary. This length of time will vary depending upon the medical device or IVD. Ensure that your policies appropriately address this item.
  6. Integrity and confidentiality:
    Best practices for data security are evolving rapidly. Companies must ensure that they address data privacy that is appropriate to their product and current data privacy standards.

What can companies do to meet GDPR?

  • Analyze what, how, and why they process data
  • Assess how the regulation might affect their current business
  • Consult with relevant stakeholders: such as customers, data controllers, data processors
  • Create processes: implement the GDPR into the company, set clear responsibilities
  • Be transparent: be prepared to show how data is transferred and processed if asked. Put consent and privacy notes in plain language.
  • Compliance: ask, how can the organization show it is compliant?
  • Responsive: requests from individuals and incidents must be dealt with within certain timeframes, for example, a notifiable breach must be reported to the relevant supervisory authority within 72 hours.

Activities to start the process GDPR:

  • What is our company’s data footprint in the EU (e.g. employee data, consumer data, business customer data)?
  • Can we provide evidence of GDPR compliance to EU or US privacy regulators, who may now request it on demand?
  • Do we have visibility of and control over what personal data we collect?  How it is used? With whom the data is shared?
  • Do we have a Privacy by Design program in place, with Privacy Impact Assessments, documentation, and escalation paths?
  • Do we have a tested breach-response plan that meets the GDPR’s 72-hour notification requirement?
  • Have we defined a roadmap for GDPR compliance?
  • Have we identified a Data Protection Officer (DPO)?
  • Have we adopted a cross-border data transfer strategy?