ISO 13485:2016;

ISO 17223 &

GDPR

On 25 May 2018, less than 50% of

all organizations impacted will fully
comply with the GDPR.

Gartner

A Benefit v. Risk Analysis

GDPR ISO 13485:2016

Content History & Background
03. GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data

03. ISO 13485: 2016

the Juxtaposition of ISO 13485 and GDPR Section 4.1.1
04 TR 17223:2018
Guidance On The Relationship Between EN ISO 13485:2016 (Medical Devices. Quality
Management Systems. Requirements For Regulatory Purposes) And European Medical Devices
Regulation And IVDR & MDR
Benefits of GDPR & ISO 13485:2016
05. Cost Savings

05. Better Decision Making

05. Risk Reduction

05. Improved Data Management

Risks of non-compliance GDPR & ISO
13485:2016
06. Legal Mandate

06. Right to Retract

06. Fines

06. MDR/IVDR mandates as part of ISO

13485 and GDPR Legal Compliance

What do you need to do for a ISO 13485 Certified GDPR Attestation

07.. Role Relative to GDPR
07. Inventory Personal Data
07. Map Medical Data Flows
07. Incident Response Plan
07. Compile Notification List
07. Data Protection Impact Assessment (DPIA).
07. Appropriate Policy Document (APD)

Requirement for MDR & IVDR Medical Device Providers

07. MDR/IVDR mandates as part of ISO 13485 and GDPR Legal Compliance
MDSAP audits certification process.
06. European In Vitro Diagnostic Regulation (IVDR)
ISO 13485 Part 11 and the corresponding legal requirement of GDPR

Some of the things you need to do regarding MDR & IDVR according to CEN/TR 17223:2018

08. Risk Management System Registry

08. Draft and Maintain Quality Agreements
08. Supply chain and Transport Report
08. Establish a Quality Management System
08. Draft Declaration of Conformity
 ISO 13485:2016 & GDPR
ISO 13485:2016 now mandates requirements in
the design and development of medical devices,
taking into consideration their usability, the use of
standards, and a more robust planning for the
verification, validation, transfer and records
maintenance of the design and development
activities Harmonization of validation requirements
for different software applications, such as QMS
software, process control software, software for
monitoring and measurement
Juxtaposition of ISO 13485 and GDPR Section
4.1.1 states that the QMS must include the
requirements for roles undertaken by the
organization for applicable regulatory bodies.
Section 8.2.3 says that advisory notices must be
made available to applicable regulatory bodies as
appropriate.
According to Section 7.5.9.1, traceability of
measurement must be maintained according to
the needs of relevant regulatory bodies.
Section 7.2.2 states that requirements for products
and services should include requirements from
applicable regulatory bodies.
Sections 7.3.3, 7.3.7 & 7.3.9 require the design
and development process to consider the
requirements of regulatory bodies, such as the
level of control that is expected in the process.
Sections 5.6.2 & 5.6.3 state that management
review must include reports to regulatory bodies
as inputs; and, as outputs, any necessary changes
in response to new or changing issues with regard
to relevant regulatory bodies.
Computer Software Validation is used to ensure
that each computer systems fulfills their intended
purpose. It prevents problems with the software to
reach the production environment. CSV is today
used in many regulated industries and is today
regarded as a good manufacturing practice.
Aligned Elements of both standards fall into the
category of Computer systems that must be
validated according to ISO 13485:2016 and FDA
21 CFR 820. and GDPR
Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016
on the protection of natural persons with
regard to the processing of personal data and
on the free movement of such data, and
repealing Directive 95/46/EC (General Data
Protection Regulation)
GDPR program is extensive and requires a good
understanding of the regulation and the legal text.
As the regulation is non-prescriptive and therefore
outcome-based, it requires a good level of data
protection maturity and a tried and tested
understanding of an organization’s processing
activities, including an understanding of all 3rd-
party personal data processors and Sub-
processors. This involves reviewing customer
information whereby goods, services and/or
profiling is a business activity for on-site and cloud-
based systems but also involves a review of
employee personal data activities. This can
typically encompass upwards of 100+ systems for
organizations to revisit and review existing and any
new organizational and technical controls..
Data sovereignty and data lifecycle management
are key to helping organizations ensure that EU
resident data is processed and stored
appropriately. In addition to these responsibilities,
organizations need to manage data flows to
approved third party processors, monitor for data
leakage and protect against data breaches from
external attackers.
To comply with the GDPR and meet the
certification requirements for ISO 27001
Information Security Management, ISO 20000 IT
Service management, ISO 13485 Medical devices
management system, there are 99 articles and
173 recitals to be complied with and managed.
 ISO 13485:2016 & GDPR
PD CEN/TR 17223:2018. This Technical Report
provides Guidance on the relationship between EN
ISO 13485:2016 (Medical devices. Quality
management systems. Requirements for
regulatory purposes) and European Medical
Devices Regulation and In Vitro Diagnostic
Medical Devices Regulation
The scope of ISO 13485 as defined in this
technical report indicates the standard can be
applied to both
- Organizations involved in one or more stages of
the life-cycle of a Medical device. This life-cycle
includes design, development, production,
storage, distribution, installation and servicing.
- Suppliers or external partners that provide
product, including Quality Management System
related services
The Technical Report states that ISO 13485 may
be applied to other economic operators in the
supply chain such as authorized representatives,
importers, distributors or assemblers of systems or
procedure packs. CEN/TR 17223:2018 provides
guidance for implementing ISO 13485 to support
meeting the regulatory obligations for authorized
representatives (Article 11), Importers (Article 13),
Distributors (Article 14) or assemblers of systems
or procedure packs (MDR Article 22).
Sections 5.6.2 & 5.6.3 state that management
review must include reports to regulatory bodies
as inputs; and, as outputs, any necessary changes
in response to new or changing issues with regard
to relevant regulatory bodies. Computer Software
Validation is used to ensure that each computer
systems fulfills their intended purpose. It prevents
problems with the software to reach the production
environment. CSV is today used in many regulated
industries and is today regarded as a good
manufacturing practice. Aligned Elements of both
standards fall into the category of Computer
systems that must be validated according to ISO
13485:2016 and FDA 21 CFR 820. and GDPR
What is the EU MDR
• A new regulation in Europe for medical devices
and in vitro diagnostic products with many
changes compared to the current directives
• Consolidated trilogy text of EU MDR and EU IVDR
were issued in June 2016 and was
published in the Official Journal of the European
Union in May 2017
MDD- Medical Device Directive
23 articles
60 pages
12 annexes
44 occurrences of "clinical investigation" Directive
1993, amended 2007
The Medical Device Directive is intended to harmonize
the laws relating to medical devices within the European
Union. The MD Directive is a 'New Approach' Directive
and consequently must be met in order for a
manufacturer to legally place a medical device on the
European market
MDR – Medical Device Regulations
97 articles
355 pages
16 annexes
142 occurrences of "clinical investigation"
Regulation published May 2017
The EU MDR release focuses on the overall product life
cycle from development through obsolescence.
Requirements for CE marking have been enhanced in
each stage of the life cycle.
• UDI reqs;;
• New QMS reqs;
• Quality agreements;
• Labeling reqs. Required PMS reporting;
• Required periodic safety update reports;
• Required CER updates
• Scrutiny on State of Art reqs
• audits (MDSAP / Clinical)
Regulatory Files: Declaration of Conformity, RA, R&D,
DQE, Medical Affairs, PMV
Quality System: • Periodic Safety Update Reports, Post
Market Surveillance reports for all tech files, QA Man,
Ops, DQE, Medical Affairs, RA, PMV
Haz Substance: Product Codes QA Man, RA, Ops,
R&D, EHS
Clinical Evaluation: SSCP Annual Submission CER
Annual Submission,, Medical Affairs, PMV,. R&D, RA,
Commercial
 ISO 13485:2016 & GDPR

GDPR & ISO

13485 BENEFITS

A Guide

1 2
Cost Savings
With one law on data protection across all 28
member states, organizations no longer have to
manage different data protection approaches per
market. The European Commission estimates
this will save businesses around €2.3 billion
annually.
—Osterman Research
Better Decision Making
Using the process approach outlined in ISO
13485:2016, it’s much easier to discover
opportunities for improvements. Companies are
able to identify and eliminate waste within and
between processes, reduce errors, and avoid
rework. A key quality management principle of
ISO 13485:2016 regards the use of evidence-
based decision making. When you use facts and
data to drive your decisions,

3 4
Improved Data Management
Regulatory Risk Reduction
GDPR requires that all information be globally
ISO 13485:2016 places greater emphasis on searchable and indexed. This will help
regulatory compliance and risk-based decision companies to more easily handle subjects’
making for processes outside the realm of requests to delete the data if they exercise their
product realization. The focus is on risks right to be forgotten. On the other hand, this
associated with the safety and performance of requirement will encourage you to reorganize
medical devices and compliance with regulatory data storages so their staff will be more
requirements. This requirement extends to device productive and efficient while working with
manufacturers, as well as their sub-tier suppliers accurate, easily searchable and accessible data.
and contractors. The mandate is to to apply risk
management with analysis from the product’s
concept and design phases throughout product
realization and servicing.. In addition, the
standard asks organizations to be more stringent
when it comes to outsourcing processes by
putting into place controls, such as written
agreements, for assessing their suppliers.
 ISO 13485:2016 & GDPR
GDPR & ISO
13485
RISKS
1 A Guide
Legal Mandate
Organization must notify the supervisory
Authority of a data breach within 72 hours. Article
80 of the GDPR provides that the data subject
shall have the right to mandate a not-for-profit
body, organization or association (which has
statutory objectives which are in the public
interest and is active in the field of the protection
of data subjects' rights and freedoms) to exercise
their remedies under the GDPR on their behalf.
ISO/IEC qualifies as such a body in those
countries which codify ISO as part of their
regulatory structure
3 4
Fines
GDPR article 58 (2)i provides administrative
fines as much as 10 Million Euros or 2% of the
worldwide annual turnover of the preceding
financial year.145 Infringements of the basic
principles for processing including consent.The
data subject‟s rights now include the right to
data portability, the right to be forgotten etc. Of
particular focus in the case of MDR ti is the
transfer of personal data to a recipient third
country or international organization; obligations
pursuant to member state law penalize non-
compliance with any order by the supervisory
authority for restriction of processing or
suspension of data flows. This penalty involves
an administrative fine of up to 20 Million Euros or
4% of the worldwide annual turnover of the
preceding financial year. Also non-compliance
with the orders of the supervisory authority under
Article 58 (2)147 of the GDPR incurs an
administrative fine of as much as 20 Million Euros
or 4% of the worldwide annual turnover of the
preceding financial year.
2
Right to Retract
Article 77 of the GDPR vests data subjects with
the right to retract consent, request data erasure
or data portability. Under GDPR, individuals have
rights, including the right to be informed about the
data a firm holds, the right of erasure, the right to
data portability, and the right to not be subject to
automated decision-making, including profiling.
Business are required to answer DSAR (Data
Subject Access Rights) requests and maintain a
register of all DSARs or face fines and sanctions
MDR/IVDR mandates as part of
ISO 13485 and GDPR Legal
Compliance
MDR/IVR Data falls under Article 4(1) and
therefore Article 6 and 9 conditions for special
category data apply as GDPR includes genetic
data and biometric data in the definition.
notified body
MDR class IIa/IIb**
IVDR class B/C.
(special) notified body
MDR class III/IIb**
IVDR class D
In particular, this type of data creates more
significant risks to a person’s fundamental rights
and freedoms. For example, by putting them at
risk of unlawful discrimination and is subject to
special scrutiny
 ISO 13485:2016 & GDPR

What do you need to do for a ISO 13485

Certified GDPR Attestation
Identify Role Relative to GDPR Identify and Compile Notification List
The first task for any organization must be to As a result of the changes, manufacturers may well
identify whether they are considered a data be confronted with a forced change of notified body
controller or processor. They must review the when the regulations enter into force, either because
relevant obligations these titles carry, such their notified body ceases activities, because it is not
as issuing notice to citizens and maintaining re-designated for the same scope or because it is
relevant consent from the data subject. not designated as a special notified body.
Organizations must regularly review existing and
new business processes to identify personal data. Conduct Data Protection Impact Assessment
They should identify where this data resides —
whether it’s at rest, in-motion and/or in-use —
(DPIA).
GDPR mandates Data Protection Impact
maintain a record of processing activities, and
Assessment (DPIA) for information covered by
understand how this data is protected.
Articles 9(2)(b),(h),(i) and (j). You must do a DPIA for
processing that is likely to result in a high risk to
Inventory Personal Data individuals. Your DPIA must: describe the nature,
Inventorying personal data, whether as part of the scope, context and purposes of the processing;
initial scoping of a compliance program or to support assess necessity, proportionality and compliance
the operational duties of controllers, processors or measures; identify and assess risks to individuals;
responders, including dealing with subject access and identify any additional measures to mitigate
requests or data incidents. those risks. This mirrors the ISO 13485 Risk
Management, Document and Record Control, Part
Map Medical Data Flows 11 Compliance requirement
Mapping patient data flows across the organization
is a requirement of both GDPR and ISO Draft Appropriate Policy Document (APD)
13485:2016 Sec 4.2.5 Data Flows highlight supply Schedule 1 Part 1 contains specific conditions for
chain activity that puts critical data at risk. Clear the various employment, health and research
visibility allows organizations to implement purposes under Articles 9(2)(b), (h), (i) and (j).
management and control of patient data flows using Schedule 1 Part 2 contains specific ‘substantial
mechanisms such as authorization, policy-based public interest’ conditions for Article 9(2)(g). Data
encryption, notification and blocking to mitigate risk. falling under Schedule 1 Part 1 & 2 requires
establishment of a Appropriate Policy Document
Create Incident Response Plan (APD) as part of the compliance process. Once you
Incident response is critical to protecting data, have a policy document in place, you must be able
especially EU resident data. In addition to the to demonstrate compliance with the terms of it, for
mandatory data breach notification requirement, example through training programs, employee
organizations must also ensure they have guidance, etc. You must also keep the records of the
implemented an effective incident response plan. processing up to date. This mirrors the ISO 13485
This plan must be regularly tested to ensure that Design Control, Risk Management, Supplier
employees involved in a data breach response are Management, Document and Record Control, Part
familiar with and fully understand the new 11 Compliance.
legislation, communication process and protocols in
order to report a breach. ISO 13485 Part 11
Compliance requirement
Requirement for Medical Device
Providers
Medical Devices Regulations (MDR) :Device manufacturers that intend to market their products within the
European Union need to address compliance with the requirements of the applicable Medical Device
Directive (MDD) and CE marking process. Medical device companies must also do the same based on
their own unique needs. This has created a new requirement for certification registrars in the regulatory
intent of a certification process. (e.g., MDSAP audits). MDD compliance and CE mark will still be
recognized for several years but will become extinct as the ISO 13485 certification now assumes a GDPR
regulatory oriented process.

European In Vitro Diagnostic Regulation (IVDR) replaces IVD Directive (98/79/EC) and has a transition
period of five years. Manufacturers have the duration of the transition period to update their technical
documentation and processes to meet the new requirements. When placing an IVD device on the
European market, manufacturers must demonstrate that it complies with necessary regulatory
requirements through appropriate conformity assessment procedures, the two most relevant being ISO
13485 Part 11 and the corresponding legal requirement of GDPR & FDA 21 CFR Part 820 (US Based))
 ISO 13485:2016 & GDPR

Some of the things you need to do regarding MDR & IDVR

according to CEN/TR 17223:2018
Draft a Risk Management System Register Establish Quality Management System
EU MDR Annex 1, Section 3 IDVR Article 10(2) consistent with IDVR Article 1 and MDR Art
3. Manufacturers shall establish, implement,
document and maintain a risk management
25
The quality management system shall address at
system. Risk management shall be understood as
least the following aspects:
a continuous iterative process throughout the entire
(a) a strategy for regulatory compliance, including
life cycle of a device, requiring regular systematic
compliance with conformity assessment procedures
updating. In carrying out risk management
and procedures for management of modifications to
manufacturers shall:
the devices covered by the system;
(a) establish and document a risk management plan
(b) identification of applicable general safety and
for each device;
performance requirements and exploration of
(b) identify and analyze the known and foreseeable
options to address those requirements;
hazards associated with each device;
(c) responsibility of the management;
(c) estimate and evaluate the risks associated with,
(d) resource management, including selection and
and occurring during, the intended use and during
control of suppliers and sub-contractors;
reasonably foreseeable misuse;
(e) risk management as set out in Section 3 of
(d) eliminate or control the risks referred to in point
Annex I;
(c) in accordance with the requirements of Section
(f) performance evaluation, in accordance with
4;
Article 56 and Annex XIII, including PMPF;
(e) evaluate the impact of information from the
(g) product realization, including planning, design,
production phase and, in particular, from the post-
development, production and service provision;
market surveillance system, on hazards and the
(h) verification of the UDI assignments made in
frequency of occurrence thereof, on estimates of
accordance with Article 24(3) to all relevant devices
their associated risks, as well as on the overall risk,
and ensuring consistency and validity of information
benefit-risk ratio and risk acceptability; and
provided in accordance with Article 26;
(f) based on the evaluation of the impact of the
(i) setting-up, implementation and maintenance of a
information referred to in point (e), if necessary
post-market surveillance system, in accordance with
amend control measures in line with the
Article 78;
requirements of Section 4.
(j) handling communication with competent
authorities, notified bodies, other economic
Draft and Maintain Quality Agreements with
operators, customers and/or other stakeholders;
Suppliers
(k) processes for reporting of serious incidents and
The manufacturer must evaluate, select, and re-
field safety corrective actions in the context of
evaluate the other economic operators under 7.4.1
vigilance;
Purchasing Process including a written quality
(l) management of corrective and preventive actions
agreement under 4.1.5 for any outsourced products
and verification of their effectiveness;
and provides the information under 7.4.2
(m) processes for monitoring and measurement of
Purchasing Information to the other economic
output, data analysis and product improvement.
operators
Drawing up a Declaration of Conformity
Supply Chain Storage & Transport Report as
required by MDR Article 14 Annex 1 Section The EU declaration of conformity shall state that the
3 requirements specified in this Regulation have been
fulfilled. The manufacturer shall continuously update
Distributors shall ensure that, while the device is
the EU declaration of conformity. The EU declaration
under their responsibility, storage or transport of conformity shall, as a minimum, contain the
conditions comply with the conditions set by the information set out in Annex IV Name, registered
manufacturer. trade name or registered trade mark and, if already
ISO 11607 reports on shelf life and packaging test
issued, SRN referred to in Article 28 of the
requirements manufacturer, and, if applicable, its authorized
ISO 11607-1 covers requirements for materials, representative, and the address of their registered
sterile barriers, and sterilization medical device
place of business where they can be contacted
packaging Product and trade name, product code, catalog
ISO 11607-2 covers the requirements for the number or other unambiguous reference allowing
effectiveness of the aseptic medical device identification and traceability of the device covered
packaging process by the EU declaration of conformity, such as a
photograph, where appropriate, as well as its
ISO 11607 compliance studies should also cover intended purpose. Except for the product or trade
the packaging process, including sterile barrier name, the information allowing identification and
system travel and packaging.. traceability may be provided by the Basic UDI-DI
.
 ISO 13485:2016 &
GDPR

Cre dit s