Experts Examine Impact of EU GDPR, CCPA on MedTech Sector
Posted 23 May 2019 | By
An expert panel at the AdvaMed Digital MedTech Conference in San Francisco on Wednesday discussed the impact on the medical technology sector from new legislation that enacted changes to privacy rights and data protection.
Last year saw some major changes to regulation in US and EU law on data privacy and protection. To enhance privacy rights and data protection, the EU’s General Data Protection Regulation (GDPR) was implemented last May and the California Consumer Privacy Act (CCPA) was signed into law last June. Panelist Peggy Bodin, Zimmer Biomet’s global privacy officer, said there is a “domino effect.”
Data privacy and the concept of privacy by design have been pushed to the forefront, which is forcing companies to think more critically about how data is collected and used. Bodin said there is a cultural shift within the US for most companies, including Zimmer Biomet, with regard to privacy and ethical concerns.
The panel agreed that the “domino effect” of more privacy laws and the shift toward laws that are more and more restrictive will continue throughout the US. In the EU, this shift has been around since 1995.
MedTech Europe legal and compliance coordinator Shannon Zeigler noted that medical device companies have been dealing with challenges posed by more restrictive privacy legislation since the Data Protection Directive. Yet GDPR and additional laws around the world create a new spotlight.
Companies with a presence in the EU are grappling with the increased requirements under the EU’s medical device and in vitro diagnostic regulations (MDR/IVDR) in addition to GDPR. Zeigler said awareness on privacy rights is growing despite certain disconnects in data protection and consent processing, among other intersections between MDR and GDPR.
Zeigler said 95,000 complaints have been filed under GDPR. She explained, however, that GDPR means that industry must know what can and cannot be done rather than disallowing the processing of patient data.
Panelist and Morgan Lewis partner Reece Hirsch also noted that CCPA is “very restrictive” and more far-reaching than HIPAA. For industry, this has created new challenges and uncertainties around privacy rights exacerbated by a lack of guidance on compliance. “The device industry and the technology industry will have problems dealing with the CCPA,” Hirsch said.
The three panelists further discussed ways to think about privacy, protecting patient data and mitigating risks in the context of the new legislation and to avoid any costly business repercussions.
The medical technology industry has specific questions about how to be compliant with the data they are handling and the hurdles they are facing, said Zeigler. She added that MedTech Europe and AdvaMed can aid with compliance by building industry-specific guidance upon request.
It is a balancing act between putting in place global privacy programs while thinking about how quickly the space is changing, according to Bodin. She also recommended companies having privacy officers at the table when thinking through privacy by design and when implementing new approaches to services.