Is GDPR part of the MDR? The journey to medical device compliance.

An interview about certifications, requirements, GDPR and MDR with Stefano Lai, Q&R Manager at Henesis.
Is GDPR part of the MDR? The journey to medical device compliance.

An interview with Henesis

Jovan Stevovic: Stefano, thank you for your time. It’s nice to have you here.
Can you tell me about yourself and your role in the Henesis team?

Stefano Lai - HENESIS: I'm Stefano Lai, and my background is in biomedical engineering. I got a Ph.D. in robotics in 2015, and after some experiences abroad, I joined Henesis about six years ago. I started working in the R&D area, and after some studies and specialisation in quality and regulatory affairs for medical devices, I became a regulatory affairs specialist about three years ago. Then, after two years, the Q&R manager of Henesis.

Jovan Stevovic: Can you tell us a little more about Henesis? Who is Henesis, and what do you do?

Stefano Lai - HENESIS: Henesis is a health tech company focusing on human self-empowerment. We are working mainly in three different areas (but overlapped). The first is brain-computer interfaces. The second is microfabrication and sensor microfabrication. The last is telerehabilitation. Our approach is to identify the market needs and high-tech solutions that are science-driven, wearable, easy to use, and eco-friendly. Although we were born as a research company (and are still a research company), we recently launched our first product, Arc Intellicare. This telerehabilitation medical device is a new concept developed and produced by our internal R&D team. Arc is a medical device comprising different components, sensors for inertial measurement, a tablet with an app running, and a back-end server and web portal. The idea is to follow the patient who needs rehabilitation (motor or respiratory) to be supervised during the task or the exercises even without the therapist's direct supervision.

Jovan Stevovic: So it’s a medical device. There is hardware, but also there is software involved. As we know, it is a highly regulated market. Can you tell us a bit more about how you faced the whole process? What were your main challenges?

Stefano Lai - HENESIS: Regulation in the healthcare industry is a real challenge, and no matter how big you are, you might be constantly updated and always ready to mitigate possible risks, solve non-compliances and, of course, comply with regulations.
This is the main reason why Henesis decided to invest in training the internal resources on both regulatory and quality aspects at the beginning.
I'm the first example. We have a small team, and people work under my supervision on this aspect. We chose to have this internal group as a company because these aspects must be considered in the first phases of developing a new device. In this way, the development can go ahead in a regulated framework. Of course, this does not mean that our ideas and innovation must be limited or stopped by the regulatory requirements. Still, it means that during the development, we need a co-design of the product that includes different aspects, including regulatory and affairs expertise. The presence of a lawyer internally can support the revision of commercial documents, but having invested even in internal knowledge, we understood that some parts are very crucial. For example, a GDPR area is very difficult to manage, so it's critical to have a partner who is highly focused and can supervise the entire development process. This is why we started the collaboration with

Jovan Stevovic: You have a small team with a lot of focus on the regulatory part, and also, in the idea creation and research, you involve the regulatory. But you made a distinction between MDR and GDPR. Can you tell us more? How do you see GDPR in relation to MDR?

Stefano Lai - HENESIS: My experience is in MDR and the quality management of medical devices. So, I work daily on reading part of the MDR for medical devices.
GDPR is a part of the MDR because is a requirement, independently of the class of the medical device. Whether low-risk or high-risk, the main goal is to protect and secure this data. And they are both based on risk management. The new version of ISO 14971 is focused not only on the patient but also on the environment and data. The GDPR, which is a European regulation, is fully harmonised with the MDR. Thus, as a manufacturer of medical devices, we must comply with medical with the GDPR. In our specific case, without specific knowledge, we needed to find the right partner to help us cover this part.

Have trouble with your GDPR documentation and requirements?
Talk to an expert

Jovan Stevovic: The connection between MDR and GDPR is interesting, but also the difference between them.  In fact, MDR includes GDPR.

Stefano Lai - HENESIS: Yes, exactly. And even some choices in developing the device are led by the GDPR. For example, our product is based on an app running on a tablet. We decided to secure the tablet, providing the patient with a tablet branded Henesis with the app inside. This was a choice based on the security of the patient's data.
For example, we had some requests by partners asking us, “Can I download the app from the Play Store on my personal device? Why cannot be this?”
This may look like a limit for someone, but is not a limit. In reality, it is a pro of our solution because we are trying to follow a requirement of the MDR asking to protect the patients’ data.
However, the requirement is also taken from the GDPR. So sometimes, although many stakeholders are aware of the importance of GDPR, sometimes they don't know why we made some choices instead of others.

Sometimes, the GDPR can be perceived as an obstacle to usability, but it is not really an obstacle. It should be considered as measures that are implemented to guarantee the safety and security of the patients.

Jovan Stevovic: As you said, they impact decisions and go-to-market strategy, right? You are now in the process of launching the product. How aware were they of the regulatory and data protection?

Stefano Lai - HENESIS: They are aware of this. We are working with private healthcare groups and public research hospitals, all of which have DPOs. However, sometimes, they don’t know how much effort is required to implement and comply with GDPR requirements.
Here is another example: our device is intended to be used at home. To do so, we log the patient before going home from the hospital. One of our partners asked us to let the therapist pass the security block, such as passwords or biometrics of the patients, to work directly with the patient's app. This is not compliant with the GDPR. So, sometimes, usability features overcome some GDPR requirements.

Jovan Stevovic: You said you are interacting with DPOs in hospitals. When they start to ask you questions and due diligence on your product, is it a tricky process? Do you find it challenging?

Stefano Lai - HENESIS: I think you should be ready for this. It means that if the DPO is asking for these documents, you need to be ready and provide and think in advance to have them ready to be customised - based on the request. But the documents must be already in place. From our experience, following these was not easy, but with the right guide that can show you precisely what you have to provide and what risks you have mitigated in the process. In this way, it is easier to provide the proper documentation.
You should choose the right pattern based on your requirements, the quality you are looking for, and the presence of your partner's certifications. The medical devices market is a critical part of the suppliers' management. So, if you are ready and you are supported by a partner adequately, even these activities that are generally very tough can be done in a more precise and focused way.

Jovan Stevovic: When it comes to going to market, what would be your advice to the CEOs and companies starting their adventure in digital health and medical device space?

Stefano Lai - HENESIS: My recommendations are about the regulatory part. First, we needed to develop a regulatory technical and business roadmap. As I was saying at the beginning of this chat, we tried to have a multidisciplinary team in our company consisting of technical and business experts and regulatory affairs experts. I suggest focusing on this point from the beginning of the design concept.
For example, if you are developing software and don't map all your steps from the beginning of the development but next to the production, this can be a problem because the MDR (but also the standards for software lifecycle) requires you to follow a precise step-by-step procedure. And you need to document everything.

Secondly, you should not underestimate the effort to comply with all medical device regulations, including GDPR and MDR. Because even if some points look obvious (such as having a device safe with some performance), some requirements are still very strict. And if you want to comply with them, you need a lot of tests and evidence that the system is working that way.

The second message is don't underestimate the effort and the time required to develop and produce a compliant device.

Jovan Stevovic: Is there anything about your adventure or experience that you wish you knew before?

Stefano Lai - HENESIS: Always from the regulatory point of view. MDR was issued in 2017 and in force from 2021. But in the following years, many documents came out to better explain some parts of the legislation. They're called MDCG (Medical Device Coordination Group Documents) and issued by the EU Commission - as they are the main guidelines. The problem is that these continue to be issued, and sometimes you can have an idea or ask a notified body (or some consultant) about some points. And then, after months, there is a new document explaining precisely what you were thinking about. As I said before, I would have preferred to be more aware of how difficult it is to comply fully with all the requirements.

Jovan Stevovic: What did you like most about working with Chino?

Stefano Lai - HENESIS: The right partner should have technical experience. In this case, specifically, you were a good partner because we also had real experience in the legal part, so we could cover it from the technical and legal points of view. For my company, that was an utter beginner about the aspects, but it was a plus to have full coverage of all these aspects that are very difficult. Another important aspect was that you were good at leading and prioritising the tasks. We appreciated your plan designed to let us get a faster-resulting view in a short time, but a long-view plan also covers all the parts.

Jovan Stevovic: To conclude, you have been working in the regulatory space now for many years, and you have seen the journey from 0 to compliance. Are there new regulations on the horizon? How do you see the regulatory space evolving?

Stefano Lai - HENESIS: The most googled word today is AI, which can be considered an esoteric area. Someone can think AI is a sort of magic. But if we consider AI as a software or math model without a psychological discriminant, it is clear that this tool must also be regulated.
In this period, the EU Commission is working on the AI Act. The main goal of this Act is not to limit innovation but to try to help manufacturers put their attention and effort into providing better AI products. I'm saying this because MDR, GDPR, and AI Act are based on risk management. All three require that the devices are safe, effective, or performant and can guarantee quality.

They are not so different: MDR, GDPR, and AI Act are all focused on the person.
And so you have to guarantee that the person can use a safe and best-performing device.

The feeling related to the next AI Act is similar to that of the coming MDR some years ago. For MDR, the thoughts of MD manufacturers were about the difficulties: “How difficult will be to comply with this? Why do I have to do this if in the past I did it in another way and everything was working well? But most parts of the MDR report the obvious: guarantee safety, push the performances, and report evidence. I'm not saying that MDR is easy, but the message is that most requirements can be fully expected.

For the new AI Act, the situation could be similar - in particular for classic AI with a training model and inference model. The situation could also be most challenging for regulators about generative AI.

Want to know more about the AI Act? Read our blog post!

Jovan Stevovic: Thanks for sharing your opinion. As a regulatory person, you are working on a daily basis on this. So it's interesting to hear your perception. Thanks for this chat. It was lovely to hear your story at Henesis, your approach to regulation, and how we work together.  So it was a pleasure to have you here, and looking forward to the next steps.

Working with experts can reduce time-to-market and technical debt and ensure a clear roadmap you can showcase to partners and investors.

At, we have been combining our technological and legal expertise to help hundreds of companies like yours navigate EU and US regulatory frameworks, enabling successful launches and reimbursement approvals.

We offer tailored solutions to support you in meeting the GDPR, AI-Act, HIPAA, DVG, or DTAC mandated for listing your product as DTx or DiGA.

Want to know how we can help you? Reach out to us and learn more.

Talk to an expert