The Cove Business Standards Discussion Forums
ISO 13485:2016 and GDRP EU 2016/679
UL - Underwriters Laboratories - Health Sciences
ISO 13485:2016 and GDRP EU 2016/679
ISO 13485:2016 and GDRP EU 2016/679
ISO 13485:2016 and GDRP EU 2016/679
ISO 13485:2016 and GDRP EU 2016/679
ISO 13485:2016 and GDRP EU 2016/679
ISO 13485:2016 and GDRP EU 2016/679
ISO 13485:2016 and GDRP EU 2016/679
ISO 13485:2016 and GDRP EU 2016/679
ISO 13485:2016 and GDRP EU 2016/679
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

ISO 13485:2016 and GDRP EU 2016/679


Monitor the Elsmar Forum
Sponsor Links




Courtesy Quick Links


Links Elsmar Cove visitors will find useful in the quest for knowledge and support:

Jennifer Kirley's
Conway Business Services


Howard's
International Quality Services


Marcelo Antunes'
SQR Consulting, and
Medical Devices Expert Forum


Bob Doering
Bob Doering's Blogs and,
Correct SPC - Precision Machining


Ajit Basrur
Claritas Consulting, LLC



International Standards Bodies - World Wide Standards Bodies

AIAG - Automotive Industry Action Group

ASQ - American Society for Quality

International Organization for Standardization - ISO Standards and Information

NIST's Engineering Statistics Handbook

IRCA - International Register of Certified Auditors

SAE - Society of Automotive Engineers

Quality Digest

IEST - Institute of Environmental Sciences and Technology


Some Related Topic Tags
confidential data, gdrp (general data protection regulation eu 2016/679), iso 13485 - medical device qms, iso 13485:2016, privacy
Reply
 
Thread Tools Search this Thread Rate Thread Content Display Modes
  Post Number #1  
Old 13th July 2018, 10:11 AM
SSimcox

 
 
Total Posts: 2
Question ISO 13485:2016 and GDRP EU 2016/679

In ISO 13485:2016 there is a new requirement in section 4.2.5 for Control of Records that states "The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements." Since we have a CE mark for our medical device we need to be follow GDRP requirements for patient privacy, which entails many documents we need to create to demonstrate compliancy.

As a result I have a few questions... are we required to include all our GDRP documents as part of our QMS? Is a statement in our Control of Record procedure stating that we are compliant sufficient? If not, can I expect during our next 13485 audit that the auditor will also audit to GDRP requirements otherwise how could they know if we are "...in accordance with the applicable regulatory requirements"?

Sponsored Links
  Post Number #2  
Old 13th July 2018, 01:53 PM
Mark Meer

 
 
Total Posts: 859
Re: ISO 13485:2016 and GDRP EU 2016/679

Quote:
In Reply to Parent Post by SSimcox View Post

... are we required to include all our GDRP documents as part of our QMS? Is a statement in our Control of Record procedure stating that we are compliant sufficient?
Keep the scope of your quality system in mind when determining what documents are necessary to maintain under it. Is the confidential information you are maintaining related to your QMS, or the devices designed, manufactured, sold, and/or monitored under it?

Regarding audits, auditors will want evidence that you've established an effective system for meeting the requirements. If you simply say "system shall comply with GDPR" in your procedures as a way to address the ISO requirement, it would be reasonable for an auditor to then follow up with "ok, show me the evidence". In this case, you'd want your GDPR documentation handy to demonstrate to them that you're doing what your procedures state.
  Post Number #3  
Old 16th July 2018, 07:55 AM
JoshuaFroud

 
 
Total Posts: 12
Re: ISO 13485:2016 and GDRP EU 2016/679

I personally have addressed this in our QMS by adding a section to the Control of Document and Records procedure stating, "Confidential health information will be maintained in line with GDPR". This is preceded by a sentence stating that as a general rule we, as a company, will not access confidential health information as part of normal business operations.



Our privacy policy and other related documentation is maintained within our electronic document management system but does not explicitly form part of the QMS.
  Post Number #4  
Old 16th July 2018, 01:55 PM
SSimcox

 
 
Total Posts: 2
Re: ISO 13485:2016 and GDRP EU 2016/679

Thanks Mark for your reply. I do have one further question related to your response...

You mention that the auditor may say "ok, show me the evidence" but unless they know how to interpret the evidence how can they possible say we are "in accordance with the applicable regulatory requirement" as ISO 13485 states?
  Post Number #5  
Old 16th July 2018, 02:25 PM
Mark Meer

 
 
Total Posts: 859
Re: ISO 13485:2016 and GDRP EU 2016/679

Quote:
In Reply to Parent Post by SSimcox View Post

...You mention that the auditor may say "ok, show me the evidence" but unless they know how to interpret the evidence how can they possible say we are "in accordance with the applicable regulatory requirement" as ISO 13485 states?
This is a good point of discussion, as it speaks to a fundamental shortcoming with respect to auditing against this particular ISO requirement. Auditors only have so much time and expertise, and so to check if an organisation is meeting all "applicable regulatory requirements" is not a clearly defined task.

It is within auditors' prerogative to dig as deep as they deem appropriate within the scope of their audit. However, in practice, due to constraints on time and expertise, I think you can assume that in cases like this, if they were to say "show me the evidence", simply pointing them to the documentation is probably sufficient (i.e. the details are unlikely to be scrutinised - but you should be prepared to show something rather than nothing).

Similar case is with respect to design test-reports. You can expect auditors to follow the design verification process down to the documentation outputs (test reports), but it'd be very unlikely that they have either the time or expertise to scrutinise the details (unless they are looking for fulfilment of a specific requirement e.g. justification for sampling).
Thanks to Mark Meer for your informative Post and/or Attachment!
  Post Number #6  
Old 16th July 2018, 06:15 PM
yodon

 
 
Total Posts: 1,144
Re: ISO 13485:2016 and GDRP EU 2016/679

Quote:
In Reply to Parent Post by Mark Meer View Post

This is a good point of discussion, as it speaks to a fundamental shortcoming with respect to auditing against this particular ISO requirement.
Indeed, that's a REAL good point of discussion. Without intending to sidetrack this thread, the term (complying with) "applicable regulatory requirement" or similar shows up close to 40 times in the standard. Mr. Meer has hit the nail on the head when he says auditors have only so much time and expertise. This may well be a sore point as things play out. Will an ISO auditor (or the company they represent) be liable for NOT uncovering compliance issues to a regulatory requirement that is outside their expertise?
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >

Bookmarks



Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Emoticons are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
ISO 13485:2003 vs. ISO 13485:2016 Differences Comparison al40 ISO 13485:2016 - Medical Device Quality Management Systems 4 18th April 2018 11:00 AM
EN ISO 13485:2016 or just ISO 13485:2016 without the "EN" as a prefix? SGquality ISO 13485:2016 - Medical Device Quality Management Systems 5 19th July 2017 09:45 AM
AS/EN/JISQ 9100:2016 IAQG Sanctioned Aerospace Auditor Training Available (Nov 2016) Marc AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 6 12th May 2017 09:19 AM
EN ISO 13485:2016 vs. ISO 13485:2016 - Unannounced MDD Audit yesterday Shamann2 ISO 13485:2016 - Medical Device Quality Management Systems 4 2nd February 2017 12:13 AM
Migration (Transition) to ISO 13485:2016 from ISO 13485:2003 sriramsl ISO 13485:2016 - Medical Device Quality Management Systems 1 27th October 2016 02:46 PM



The time now is 07:18 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.



Misc. Internal Links


NOTE: This forum uses "Cookies"