NAALA | Not An Average Legal Advisor

Overlap EU MDR, ISO 27001 and GDPR

Amy Eikelenboom

Co-Founder at NAALA

Published on 30 June, 2021

By: Amy Eikelenboom – Co-Founder at NAALA 

Published on 30 June, 2021

As a developer of software (classified as a medical device or AI), your role extends beyond mere development; you bear the responsibility of ensuring the product’s quality. Additionally, you are entrusted with safeguarding information security and data protection. At NAALA, we adopt a holistic approach to guarantee compliance with all requirements while optimizing the efficiency of our efforts. Yet, one may wonder: what exactly is the interplay between MDR, GDPR, and information security standards? Aren’t these distinct processes? Let’s delve into unraveling the intricacies of their overlap

Both the EU MDR and ISO 27001 require constructing a management system. EU MDR requires such a system with regards to the quality of the product, ISO 27001 requires it for ensuring information security. One could say that ensuring the information security is part of ensuring the quality when it concerns software as a medical device.

The General Safety and Performance Requirements (hereinafter: GSPRs) can overlap with ISO 27001 requirements. GSPR 17, for example, sets out requirements related to information security to be met by the manufacturer during the entire life cycle of the product. As EN 62304:2018 (to be harmonized under the EU MDR as from 27 May 2024) already includes security requirements, the ISO 27001 specification of controls can give substance to the measures that need to be implemented to minimize the risk of hazardous situation occurring.

An efficient allocation of company resources aimed at compliance should be to integrate these requirements and work towards compliance to both at the same time. How Annex A ISO 27001 controls relate to the general GSPRs of Annex I to the EU MDR, is provided in a table below. Such an overview can made for all applicable requirements to manage their overlap. 

 

General GSPRs 

NEN/ISO 

1. 

Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured  
in such a way that, during normal conditions of use, they are suitable for their intended purpose. They shall be  
safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and  
health of users or, where applicable, other persons, provided that any risks which may be associated with their  
use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high  
level of protection of health and safety, taking into account the generally acknowledged state of the art. 

A5.1.1. 

2.  

The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible  
without adversely affecting the benefit-risk ratio.  

A5.1.1. 

3.  

Manufacturers shall establish, implement, document and maintain a risk management system 
Risk management shall be understood as a continuous iterative process throughout the entire lifecycle of  
a device, requiring regular systematic updating. In carrying out risk management manufacturers shall: 

A5.1.1. 
A5.1.2.  

a)  

establish and document a risk management plan for each device 

A5.1.1.  
A6.2.1.  

b)  

identify and analyse the known and foreseeable hazards associated with each device;  

A5.1.1.  

c) 

estimate and evaluate the risks associated with, and occurring during, the intended use and during reasonably foreseeable misuse; 

A17.1.1. 
A17.1.3. 

d)  

eliminate or control the risks referred to in point (c) in accordance with the requirements of Section 4; 

A17.1.2. 

e)  

evaluate the impact of information from the production phase and, in particular, from the post-market surveillance system, on hazards and the frequency of occurrence thereof, on estimates of their associated risks, as well as on the overall risk, benefit-risk ratio and risk acceptability; and 

A.12.7.1. 

f)  

based on the evaluation of the impact of the information referred to in point (e), if necessary amend control measures in line with the requirements of Section 4. 

A5.1.2. 

4.  

Risk control measures adopted by manufacturers for the design and manufacture of the devices shall conform to safety principles, taking account of the generally acknowledged state of the art. To reduce risks, Manufacturers shall manage risks so that the residual risk associated with each hazard as well as the overall residual risk is judged acceptable. In selecting the most appropriate solutions, manufacturers shall, in the following order of priority: 

A14.2.9. 

a)  

eliminate or reduce risks as far as possible through safe design and manufacture; 

A14.2.1. 
A14.2.6.  

b)  

where appropriate, take adequate protection measures, including alarms if necessary, in relation to risks  
that cannot be eliminated; and  

A5.1.1.  

c)  

provide information for safety (warnings/precautions/contra-indications) and, where appropriate, training to  
users.  

A12.2.1.  

 

Manufacturers shall inform users of any residual risks.  

 

5.  

In eliminating or reducing risks related to use error, the manufacturer shall:  

 

a)  

a) reduce as far as possible the risks related to the ergonomic features of the device and the environment in  
which the device is intended to be used (design for patient safety), and 

A12.6.1.  

b)  

give consideration to the technical knowledge, experience, education, training and use environment, where  
applicable, and the medical and physical conditions of intended users (design for lay, professional, disabled  
or other users).  

A12.2.1.  

6 

The characteristics and performance of a device shall not be adversely affected to such a degree that the health or safety of the patient or the user and, where applicable, of other persons are compromised during the lifetime of the device, as indicated by the manufacturer, when the device is subjected to the stresses which can occur during normal conditions of use and has been properly maintained in accordance with the manufacturer’s instructions. 

A14.2.2.  
A14.2.3.  

7. 

Devices shall be designed, manufactured and packaged in such a way that their characteristics and performance  
during their intended use are not adversely affected during transport and storage, for example, through  
fluctuations of temperature and humidity, taking account of the instructions and information provided by the  
manufacturer.  

A8.3.3.  
A13.2.1. 
A13.2.2. 

8. 

All known and foreseeable risks, and any undesirable side-effects, shall be minimised and be acceptable when  
weighed against the evaluated benefits to the patient and/or user arising from the achieved performance of the  
device during normal conditions of use. 

A5.1.1. 

9. 

For the devices referred to in Annex XVI, the general safety requirements set out in Sections 1 and 8 shall be  
understood to mean that the device, when used under the conditions and for the purposes intended, does not  
present a risk at all or presents a risk that is no more than the maximum acceptable risk related to the  
product’s use which is consistent with a high level of protection for the safety and health of persons 

 

In summary, the QMS required by the EU MDR and the ISMS required by ISO 27001 are complementary to each other and leave room to integrate requirements.

The General Data Protection Regulation (hereinafter: “GDPR”) requires the controller to implement appropriate technical and organizational measures to ensure the rights and freedom of data subjects. Additionally, there needs to be a process for evaluating and updating the measures when necessary. Processors must be able to ensure that the controller remains compliant with the technical and organizational measures.

But what are appropriate measures (or controls) to be implemented? This is where ISO 27001 can come in. ISO 27001 and other ISO norms can be used to give substance to legal requirements The Annex A controls related to information security partly cover this GDPR requirement. In addition, the ISO 27001 sets up a risk management system which could entail more than just information security requirements. This risk management system can be expanded with organizational and technical measures specifically aimed at ensuring the principles relating to the processing of personal data (article 5, GDPR).

Despite each regulation or standard targeting a specific aspect of the organization and medical device, they nonetheless overlap on many aspects. The figure below visualises how ISO 27001 supports both GDPR and EU MDR requirements and how ISO 14971 on risk management for medical devices (yes, another ISO standard) could support the entire process. The starting point for implementing any of the requirements is to set up an organization wide risk management system that could cover every aspect from quality, to information security and privacy.

Questions? We are happy to discuss your specific case.

Related

Do you find yourself being responsible for more requirements than you anticipated due to the processing of personal data? As you may know, all data subjects (the natural persons you process data of) deserve protection of their personal information and have rights related to their personal data.  

These requirements result in a set of documentation that needs to be in place. We make a distinction between ‘internal’ and ‘external’ documentation. With internal documentation we mean all documentation that is required to structure the processes within your organization. This means, for example, a process to notify supervisory authorities of a data breach or to give substance to a data request. 

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis. 

Liked the article? Maybe others will too. Feel free to share!