In ISO 13485:2016 there is a new requirement in section 4.2.5 for Control of Records that states "The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements." Since we have a CE mark for our medical device we need to be follow GDRP requirements for patient privacy, which entails many documents we need to create to demonstrate compliancy.
As a result I have a few questions... are we required to include all our GDRP documents as part of our QMS? Is a statement in our Control of Record procedure stating that we are compliant sufficient? If not, can I expect during our next 13485 audit that the auditor will also audit to GDRP requirements otherwise how could they know if we are "...in accordance with the applicable regulatory requirements"?
As a result I have a few questions... are we required to include all our GDRP documents as part of our QMS? Is a statement in our Control of Record procedure stating that we are compliant sufficient? If not, can I expect during our next 13485 audit that the auditor will also audit to GDRP requirements otherwise how could they know if we are "...in accordance with the applicable regulatory requirements"?