Overlap EU MDR, ISO 27001 and GDPR
Amy Eikelenboom
Co-Founder at NAALA
Published on 30 June, 2021
By: Amy Eikelenboom – Co-Founder at NAALA
Published on 30 June, 2021
As a developer of software (classified as a medical device or AI), your role extends beyond mere development; you bear the responsibility of ensuring the product’s quality. Additionally, you are entrusted with safeguarding information security and data protection. At NAALA, we adopt a holistic approach to guarantee compliance with all requirements while optimizing the efficiency of our efforts. Yet, one may wonder: what exactly is the interplay between MDR, GDPR, and information security standards? Aren’t these distinct processes? Let’s delve into unraveling the intricacies of their overlap
Both the EU MDR and ISO 27001 require constructing a management system. EU MDR requires such a system with regards to the quality of the product, ISO 27001 requires it for ensuring information security. One could say that ensuring the information security is part of ensuring the quality when it concerns software as a medical device.
The General Safety and Performance Requirements (hereinafter: GSPRs) can overlap with ISO 27001 requirements. GSPR 17, for example, sets out requirements related to information security to be met by the manufacturer during the entire life cycle of the product. As EN 62304:2018 (to be harmonized under the EU MDR as from 27 May 2024) already includes security requirements, the ISO 27001 specification of controls can give substance to the measures that need to be implemented to minimize the risk of hazardous situation occurring.
An efficient allocation of company resources aimed at compliance should be to integrate these requirements and work towards compliance to both at the same time. How Annex A ISO 27001 controls relate to the general GSPRs of Annex I to the EU MDR, is provided in a table below. Such an overview can made for all applicable requirements to manage their overlap.
| General GSPRs | NEN/ISO |
1. | Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured | A5.1.1. |
2. | The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible | A5.1.1. |
3. | Manufacturers shall establish, implement, document and maintain a risk management system. | A5.1.1. |
a) | establish and document a risk management plan for each device; | A5.1.1. |
b) | identify and analyse the known and foreseeable hazards associated with each device; | A5.1.1. |
c) | estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse; | A17.1.1. |
d) | eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4; | A17.1.2. |
e) | evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability; and | A.12.7.1. |
f) | based on the evaluation of the impact of the information referred to in point (e), if necessary amend control measures in line with the requirements of Section 4. | A5.1.2. |
4. | Risk control measures adopted by manufacturers for the design and manufacture of the devices shall conform to safety principles, taking account of the generally acknowledged state of the art. To reduce risks, Manufacturers shall manage risks so that the residual risk associated with each hazard as well as the overall residual risk is judged acceptable. In selecting the most appropriate solutions, manufacturers shall, in the following order of priority: | A14.2.9. |
a) | eliminate or reduce risks as far as possible through safe design and manufacture; | A14.2.1. |
b) | where appropriate, take adequate protection measures, including alarms if necessary, in relation to risks | A5.1.1. |
c) | provide information for safety (warnings/precautions/contra-indications) and, where appropriate, training to | A12.2.1. |
| Manufacturers shall inform users of any residual risks. |
|
5. | In eliminating or reducing risks related to use error, the manufacturer shall: |
|
a) | a) reduce as far as possible the risks related to the ergonomic features of the device and the environment in | A12.6.1. |
b) | give consideration to the technical knowledge, experience, education, training and use environment, where | A12.2.1. |
6 | The characteristics and performance of a device shall not be adversely affected to such a degree that the health or safety of the patient or the user and, where applicable, of other persons are compromised during the lifetime of the device, as indicated by the manufacturer, when the device is subjected to the stresses which can occur during normal conditions of use and has been properly maintained in accordance with the manufacturer’s instructions. | A14.2.2. |
7. | Devices shall be designed, manufactured and packaged in such a way that their characteristics and performance | A8.3.3. |
8. | All known and foreseeable risks, and any undesirable side-effects, shall be minimised and be acceptable when | A5.1.1. |
9. | For the devices referred to in Annex XVI, the general safety requirements set out in Sections 1 and 8 shall be |
|
In summary, the QMS required by the EU MDR and the ISMS required by ISO 27001 are complementary to each other and leave room to integrate requirements.
The General Data Protection Regulation (hereinafter: “GDPR”) requires the controller to implement appropriate technical and organizational measures to ensure the rights and freedom of data subjects. Additionally, there needs to be a process for evaluating and updating the measures when necessary. Processors must be able to ensure that the controller remains compliant with the technical and organizational measures.
But what are appropriate measures (or controls) to be implemented? This is where ISO 27001 can come in. ISO 27001 and other ISO norms can be used to give substance to legal requirements The Annex A controls related to information security partly cover this GDPR requirement. In addition, the ISO 27001 sets up a risk management system which could entail more than just information security requirements. This risk management system can be expanded with organizational and technical measures specifically aimed at ensuring the principles relating to the processing of personal data (article 5, GDPR).
Despite each regulation or standard targeting a specific aspect of the organization and medical device, they nonetheless overlap on many aspects. The figure below visualises how ISO 27001 supports both GDPR and EU MDR requirements and how ISO 14971 on risk management for medical devices (yes, another ISO standard) could support the entire process. The starting point for implementing any of the requirements is to set up an organization wide risk management system that could cover every aspect from quality, to information security and privacy.
Questions? We are happy to discuss your specific case.
Related
Do you find yourself being responsible for more requirements than you anticipated due to the processing of personal data? As you may know, all data subjects (the natural persons you process data of) deserve protection of their personal information and have rights related to their personal data.
These requirements result in a set of documentation that needs to be in place. We make a distinction between ‘internal’ and ‘external’ documentation. With internal documentation we mean all documentation that is required to structure the processes within your organization. This means, for example, a process to notify supervisory authorities of a data breach or to give substance to a data request.
Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.
Liked the article? Maybe others will too. Feel free to share!