MDR & GDPR
What it takes to comply with these EU regulations
The new MDR becomes mandatory from 2020. Many eHealth applications will now be classed as medical devices. Here we discuss the relation between MDR and GDPR and how they impact application development.
Over the past few years, the EU has been tightening up a lot of its regulations. The General Data Protection Regulation became mandatory last May, and the new Medical Device Regulation becomes mandatory from next year. Some of you may be confused about how these regulations affect your business. In this blog we will explore MDR & GDPR are linked and how they affect eHealth application development.
GDPR has had a profound impact on companies who trade in Europe or who have EU-based customers. The regulation sets out a number of rights for data subjects, and is backed up with some extremely tough fines (€20M or 4% of gross worldwide turnover). GDPR is starting to bite as was shown by the recent €50M fine issued to Google. Certain categories of data, including health data, receive special protection under GDPR. As an eHealth application developer, you are responsible for ensuring your customers’ data is protected.
The MDR (and the related IVDR) updates and extends the existing medical device directives. Medical devices fall into 3 classes, Class I, Class II and Class III. Class I devices only need self or partial certification, whereas higher classes require proper certification. In some circumstances, software can be defined as a medical device. Sometimes this is obvious, such as the software in an ICU monitor. But many mHealth apps will also now count as medical devices, for instance if they make recommendations based on measuring your heart rate or other physiological signs.
The link between MDR and GDPR
If your application falls under MDR, and if it collects personal data, then it also falls under GDPR! I.e. MDR compliance for eHealth applications requires GDPR compliance.
Simply put, MDR includes GDPR. GDPR applies to any company dealing with personal data of EU citizens. The regulation sets out a number of rights for data subjects, and is backed up with extremely tough fines (€20M or 4% of gross worldwide turnover, whichever is higher). Certain categories of data, including health data, receive special protection under GDPR. So, in summary, if your application falls under MDR, and if it collects personal data, then it also falls under GDPR!
How much effort is needed for compliance?
Complying with MDR and GDPR isn’t straightforward. In both cases, there are a number of steps you need to complete. These are shown in the table below. The graph compares the relative effort at each stage if you plan things properly or if you leave it till later.
MDR requires effort at all stages, starting with getting ISO 13485 certification and continuing throughout the product lifecycle. GDPR requires technical and administrative measures to be put in place upfront. After that, if you use services such as Chino.io or Consenta.me, the ongoing effort is easy.
What about some hard numbers?
We are often asked how much effort it really takes to become compliant. Of course, the answer depends largely on how complex your application is. If you just want to be able to store a series of simple readings from a heart monitor, becoming GDPR compliant will be easier than if you need to store a patient's entire health record. As a rule of thumb (and if you know what you are doing), creating the necessary infrastructure, developing the technical measures, etc. for GDPR will take round 25 weeks of development effort. If you are new to the field, this could easily double. The additional effort needed for MDR compliance (if everything goes smoothly) is around 3 months. So overall you could easily be looking at 9 months-1 year of effort.
When should I think about MDR & GDPR?
If you are developing a new product it’s easy to concentrate on the functionality, UI and UX. But don’t forget to consider GDPR and MDR compliance from the very start. As the dashed lines in the graph above illustrate, the later you leave these, the greater the cost of compliance. Retrofitting the technical measures and required documentation for compliance will be time consuming, painful and expensive. Even if you get it right, MDR certification will add around 3 months to your development time. Without MDR certification you won’t be allowed to sell your product or service after May next year. So, the earlier you start, the better. Don’t leave it to May 2020, that’ll be too late!
Everyone should already be complying with GDPR, and, from next May, many of you will also need to comply with MDR. Given the complexity of getting MDR certification, we suggest you start to think about this now. As the only medical-grade DBaaS with ISO 13485 certification, Chino.io is your perfect partner for this.