Documente Academic
Documente Profesional
Documente Cultură
Gartner
06. Fines
Some of the things you need to do regarding MDR & IDVR according to CEN/TR 17223:2018
Section 7.2.2 states that requirements for products To comply with the GDPR and meet the
and services should include requirements from certification requirements for ISO 27001
applicable regulatory bodies. Information Security Management, ISO 20000 IT
Service management, ISO 13485 Medical devices
Sections 7.3.3, 7.3.7 & 7.3.9 require the design management system, there are 99 articles and
and development process to consider the 173 recitals to be complied with and managed.
requirements of regulatory bodies, such as the
level of control that is expected in the process.
A Guide
1 2
Cost Savings Better Decision Making
With one law on data protection across all 28 Using the process approach outlined in ISO
member states, organizations no longer have to
13485:2016, it’s much easier to discover
manage different data protection approaches per opportunities for improvements. Companies are
market. The European Commission estimates able to identify and eliminate waste within and
this will save businesses around €2.3 billion
between processes, reduce errors, and avoid
annually. rework. A key quality management principle of
—Osterman Research ISO 13485:2016 regards the use of evidence-
based decision making. When you use facts and
data to drive your decisions,
3 4
Improved Data Management
Regulatory Risk Reduction
GDPR requires that all information be globally
ISO 13485:2016 places greater emphasis on searchable and indexed. This will help
regulatory compliance and risk-based decision companies to more easily handle subjects’
making for processes outside the realm of requests to delete the data if they exercise their
product realization. The focus is on risks right to be forgotten. On the other hand, this
associated with the safety and performance of requirement will encourage you to reorganize
medical devices and compliance with regulatory data storages so their staff will be more
requirements. This requirement extends to device productive and efficient while working with
manufacturers, as well as their sub-tier suppliers accurate, easily searchable and accessible data.
and contractors. The mandate is to to apply risk
management with analysis from the product’s
concept and design phases throughout product
realization and servicing.. In addition, the
standard asks organizations to be more stringent
when it comes to outsourcing processes by
putting into place controls, such as written
agreements, for assessing their suppliers.
ISO 13485:2016 & GDPR
1 A Guide 2
Legal Mandate Right to Retract
3 4
Fines MDR/IVDR mandates as part of
ISO 13485 and GDPR Legal
Compliance
GDPR article 58 (2)i provides administrative
fines as much as 10 Million Euros or 2% of the MDR/IVR Data falls under Article 4(1) and
worldwide annual turnover of the preceding therefore Article 6 and 9 conditions for special
financial year.145 Infringements of the basic category data apply as GDPR includes genetic
principles for processing including consent.The data and biometric data in the definition.
data subject‟s rights now include the right to
data portability, the right to be forgotten etc. Of notified body
particular focus in the case of MDR ti is the MDR class IIa/IIb**
transfer of personal data to a recipient third IVDR class B/C.
country or international organization; obligations
pursuant to member state law penalize non- (special) notified body
compliance with any order by the supervisory MDR class III/IIb**
authority for restriction of processing or IVDR class D
suspension of data flows. This penalty involves
an administrative fine of up to 20 Million Euros or In particular, this type of data creates more
4% of the worldwide annual turnover of the significant risks to a person’s fundamental rights
preceding financial year. Also non-compliance and freedoms. For example, by putting them at
with the orders of the supervisory authority under risk of unlawful discrimination and is subject to
Article 58 (2)147 of the GDPR incurs an special scrutiny
administrative fine of as much as 20 Million Euros
or 4% of the worldwide annual turnover of the
preceding financial year.
ISO 13485:2016 & GDPR
European In Vitro Diagnostic Regulation (IVDR) replaces IVD Directive (98/79/EC) and has a transition
period of five years. Manufacturers have the duration of the transition period to update their technical
documentation and processes to meet the new requirements. When placing an IVD device on the
European market, manufacturers must demonstrate that it complies with necessary regulatory
requirements through appropriate conformity assessment procedures, the two most relevant being ISO
13485 Part 11 and the corresponding legal requirement of GDPR & FDA 21 CFR Part 820 (US Based))
ISO 13485:2016 & GDPR
Cre dit s