The Cove Business Standards Discussion Forums
GDPR scope - "Personal data" definition - General Data Protection Regulation
UL - Underwriters Laboratories - Health Sciences
GDPR scope - "Personal data" definition - General Data Protection Regulation
GDPR scope - "Personal data" definition - General Data Protection Regulation
GDPR scope - "Personal data" definition - General Data Protection Regulation
GDPR scope - "Personal data" definition - General Data Protection Regulation
GDPR scope - "Personal data" definition - General Data Protection Regulation
GDPR scope - "Personal data" definition - General Data Protection Regulation
GDPR scope - "Personal data" definition - General Data Protection Regulation
GDPR scope - "Personal data" definition - General Data Protection Regulation
GDPR scope - "Personal data" definition - General Data Protection Regulation
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

GDPR scope - "Personal data" definition - General Data Protection Regulation


Monitor the Elsmar Forum
Sponsor Links




Courtesy Quick Links


Links Elsmar Cove visitors will find useful in the quest for knowledge and support:

Jennifer Kirley's
Conway Business Services


Howard's
International Quality Services


Marcelo Antunes'
SQR Consulting, and
Medical Devices Expert Forum


Bob Doering
Bob Doering's Blogs and,
Correct SPC - Precision Machining


Ajit Basrur
Claritas Consulting, LLC



International Standards Bodies - World Wide Standards Bodies

AIAG - Automotive Industry Action Group

ASQ - American Society for Quality

International Organization for Standardization - ISO Standards and Information

NIST's Engineering Statistics Handbook

IRCA - International Register of Certified Auditors

SAE - Society of Automotive Engineers

Quality Digest

IEST - Institute of Environmental Sciences and Technology


Some Related Topic Tags
data (general), gdpr (eu general data protection regulation), personal data
Reply
 
Thread Tools Search this Thread Rate Thread Content Display Modes
  Post Number #1  
Old 14th March 2018, 10:46 AM
lzanini

 
 
Total Posts: 3
Please Help! GDPR scope - "Personal data" definition - General Data Protection Regulation

Hello everybody,

As a young graduate, I just dived into the GDPR as my first mission. I've been reading a lot on it, and I finally came back to the fundamental question : does it apply to us as a company? Let me explain.
Our device is meant to be used in a hospital. It collects monitoring data from the patient. The data collected is of course made available for health professional in the hospital, so they can use it in order to take care of the patient. Hence, they are able to link the data to the patient. However, the company will never have access to the name of the patient, and will not be able to link the data to the patient, making him/her impossible to identify for us. Moreover, the data collected won't enable us to know anything about his/her habits and tastes. It will just be numbers, without a link to anybody in particular.
By collecting and hosting this data, our aim is to simply analyze it to determine if there are any patterns that could later help health professional to prevent certain issues.

  • In this specific case, would anyone know if the data the company will have access to will be considered as "personal" since it will just be numbers ?
  • Does the GDPR still apply to us as a company?
  • What would this specific situation change for us?


I thank in advance anybody who will take the time to read this, and maybe give some help !


Kind regards,
Laura

Sponsored Links
  Post Number #2  
Old 14th March 2018, 11:08 PM
mihzago

 
 
Total Posts: 195
Re: GDPR scope - "Personal data" definition - General Data Protection Regulation

In general, I think the requirements do not apply to you, especially if the device is not connected to your company servers or in no way transfers the data to your infrastructure.

However, I just did a very similar assessment for a company with a product used during surgery, and I recommended that although the GDPR does not directly apply, there are a number of technical controls that can be implemented in the device to assist the health practitioners or health institutions to comply with the GDPR requirements on their end; especially Article 32, Security of processing.
Some examples are use of login/password to access the device; access to functionality based on roles (admin, user, service, etc.); ability to purge or de-identify data, and a few others.


Also, consider what data you collect during customer support interactions.
Thank You to mihzago for your informative Post and/or Attachment!
  Post Number #3  
Old 15th March 2018, 12:14 AM
QAengineer13

 
 
Total Posts: 140
Re: GDPR scope - "Personal data" definition - General Data Protection Regulation

I agree with mihzago's comment and in-addition also think about the "Privacy by design " concepts., i.e Proactive not reactive, Privacy as the default setting, Privacy embedded into design, Full functionality ( Positive-sum ,not zero-sum), End to End security, Visibility and transparency , Respect for user privacy into the design if its not too late..... Also think about Data classification, Metadata and role-based access controls (Governance)
Thank You to QAengineer13 for your informative Post and/or Attachment!
  Post Number #4  
Old 15th March 2018, 05:18 AM
lzanini

 
 
Total Posts: 3
Re: GDPR scope - "Personal data" definition - General Data Protection Regulation

Thank you for your answer mihzago, I would just have a few comments/further questions if you allow me

Quote:
In general, I think the requirements do not apply to you, especially if the device is not connected to your company servers or in no way transfers the data to your infrastructure.
The device is connected to the company servers. But what will be transfered to us will be numbers (such as heart rate) only. In that case, the company will never be able to identify the person these numbers come from. My question is, "In this specific case, are those numbers still considered as personal data as they do not refer to a person anymore ?". And depending on this first answer, then how does the GDPR would apply ?

Quote:
However, I just did a very similar assessment for a company with a product used during surgery, and I recommended that although the GDPR does not directly apply, there are a number of technical controls that can be implemented in the device to assist the health practitioners or health institutions to comply with the GDPR requirements on their end; especially Article 32, Security of processing.
Some examples are use of login/password to access the device; access to functionality based on roles (admin, user, service, etc.); ability to purge or de-identify data, and a few others.


Also, consider what data you collect during customer support interactions.
Thank you a lot for these recommendations and examples. There are definitely options to explore for us !
  Post Number #5  
Old 15th March 2018, 10:35 AM
mihzago

 
 
Total Posts: 195
Re: GDPR scope - "Personal data" definition - General Data Protection Regulation

Based on the Recital 26 below, if the data is completely devoid of any personal information, or information that may allow identification, then the regulation would not apply.

Recital 26 Not applicable to anonymous data*
1The principles of data protection should apply to any information concerning an identified or identifiable natural person.
2Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
3To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
4To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
5The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. 6This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
Thank You to mihzago for your informative Post and/or Attachment!
  Post Number #6  
Old 6th June 2018, 05:27 PM
Mark Meer

 
 
Total Posts: 805
Re: GDPR scope - "Personal data" definition - General Data Protection Regulation

I've got another case to consider:

- The device software allows users (therapists) to create multiple "accounts" for each of their clients.

- The "account" information is just a bunch of open fields, none of which are mandatory. For example, in a "Name" field, the clinician could enter the client's actual name, a pseudonymisation, or nothing at all.

- The device is networked to our servers strictly for the purpose of pushing software updates - none of the account data is ever transmitted.

------
Not certain if/how the GDPR applies in this case.
- Personal data is only maintained if the user chooses to enter personal data.
- This data is never transmitted even though the device is networked. That being said, I'm not certain how continuous networking exposes risk of possible access by unintended means (hacking, malware,...etc.).

Any advice/input much appreciated!
MM
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >

Bookmarks



Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Emoticons are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
EU GDPR General Data Protection Regulation - What we need to update for our QMS Wolf.K EU Medical Device Regulations 10 8th June 2018 03:42 AM
Thoughts on the impact of the General Data Protection Regulation? kreid Medical Information Technology, Medical Software and Health Informatics 5 21st May 2018 07:16 AM
GDPR - General Data Protection Regulation (EU and UK 2018) Trebor123 Other ISO and International Standards and European Regulations 7 20th March 2018 11:15 AM
GDPR (General Data Protection Regulation) - My company is ISMS certified smohanarangan IEC 27001 - Information Security Management Systems (ISMS) 3 6th March 2018 04:53 AM



The time now is 10:16 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.



Misc. Internal Links


NOTE: This forum uses "Cookies"