The Medical Device Regulation is expressly linked to the General Data Protection Regulation through MDR article 110. There are also references in the section on Clinical Investigation (article 72).
Kaleidoscope works with medical technology manufacturers and designers to implement the requirements of GDPR is their designs from the outset. This includes both the technical design of the product – GDPR requires Privacy by Design and Privacy by Default – as well as in the routes to different markets, which can change the role of the manufacturer from processor to controller.
The scope of GDPR extends far beyond simply data security, which is one of six principles with which controllers will be held accountable for demonstrating compliance. Kaleidoscope works with medical technology developers around the world to advise and support them with compliance with GDPR and access to European health markets.
Other services frequently include:
- External DPO service – may be a statutory requirement, but is also required by some European countries and is sometimes adopted for repetitional marketing purposes.
- EEA representation – is a statutory requirement for controllers and processors established outside the EEA
- Data Protection Impact Assessment (DPIA) – is a valuable sales tool in many markets
- Data Security and Protection Toolkit (DSPT) – often a minimum requirement for selling to the NHS in England and frequently imposed in contract
- Consent preferences design – depending on the medical device and route to market, can be a vital element in ensuring compliance
- DTAC applications – a baseline criteria to be met by digital health technologies for selling to the NHS in English.