Analyst firm Berg Insight warns of challenges facing makers of medical devices and apps with the May 2018 introduction of GDPR.
As 2017 draws to a close, there’s not long to go until the EU’s General Data Protection Regulation (GDPR) comes into effect. From 25 May 2018 onwards, GDPR will be directly binding and applicable to all data collectors, including makers of IoT devices and providers of the services these devices deliver.
In the healthcare sector, in particular, that could spell trouble, according to a report issued this week from analysts at research firm Berg Insight, Connected Care in Europe. It predicts challenges ahead for companies offering medical devices and apps.
Berg Insight’s analysts are particularly concerned about the kinds of connected healthcare products used for remote patient monitoring in telecare and telehealth applications. “Today, data is increasingly used to help patients, without the need of the patient’s own active involvement,” they explain. “This includes various kinds of health data, as well as user location and movement data, which could be used to identify abnormalities.”
For example, with next-generation telecare systems, if a patient does not leave the house for a few days (or, indeed, does leave the house when they’re not supposed to), or goes to bed at an unusual time, a notification might be sent to relatives or caregivers. Next-generation telehealth systems, meanwhile, will often observe patient’s vital signs and transmit data about their condition to healthcare providers, for use in the remote management of conditions such as chronic obstructive pulmonary disease (COPD), coronary heart disease, diabetes and hypertension.
Read more: Time to get moving on GDPR preparation, lawyers warn
Strict set of exemptions
That’s all well and good, but GDPR lays down some very specific rules when it comes personal health data, which it prohibits in all but a very limited set of circumstances.
Exemptions only apply “where the data subject has given consent, where processing is ‘necessary for reasons of public interest in the area of public health’, and where it’s needed for research, diagnosis or treatment,” as David Meyer, author of Control Shift: How Technology Affects You and Your Rights, explained in an article for Internet of Business back in July.
“That may sound like it clears the way for all clinical IoT, but life isn’t quite so simple, as the GDPR is very strict about purpose limitation,” warns Meyer. It’s also pretty particular in its definition of ‘explicit consent’, too, so a number of specific requirements will need to be in place for a patient’s consent to be deemed valid.
These concerns are echoed at Berg Insight. “While the future is data-driven, end users do care more and more about integrity aspects,” says analyst Anders Frick.
The fact that the regulation, by default, prohibits processing of health data unless this explicit consent is in place, he predicts, “will cause challenges for those telecare and telehealth solution providers that are not proactively working on their preparations. If the solution providers are not prepared for handling processing and storing sensitive data in accordance with GDPR, they could risk heavy fines if not fulfilling the requirements.”
Read more: Why the IoT industry needs to pay attention to ePrivacy Regulation
Hefty penalties
And the work involved looks set to pile up as the number of people using connected care solutions grows: at the end of 2016, the number totalled around 5.9 million across Europe, according to Berg Insight’s estimates. By 2022, it could be as many as 16.5 million people.
But if the compliance workload looks hefty, so do the potential penalties for failing to comply: in the most serious of cases, these could amount to 4 percent of annual turnover or €20 million, whichever sum is the greater. That should be enough to make even the most robust executive team feel a little queasy.
Read more: European Parliament pushes on IoT device security and interoperability