Law-based and standards-oriented approach for privacy impact assessment in medical devices: a topic for lawyers, engineers and healthcare practitioners in MedTech

Background: The integration of the General Data Protection Regulation (GDPR) and the Medical Device Regulation (MDR) creates complexities in conducting Data Protection Impact Assessments (DPIAs) for medical devices. The adoption of non-binding standards like ISO and IEC can harmonize these processes by enhancing accountability and privacy by design. Methods: This study employs a multidisciplinary literature review, focusing on GDPR and MDR intersection in medical devices that process personal health data. It evaluates key standards, including ISO/IEC 29134 and IEC 62304, to propose a unified approach for DPIAs that aligns with legal and technical frameworks. Results: The analysis reveals the benefits of integrating ISO/IEC standards into DPIAs, which provide detailed guidance on implementing privacy by design, risk assessment, and mitigation strategies specific to medical devices. The proposed framework ensures that DPIAs are living documents, continuously updated to adapt to evolving data protection challenges. Conclusions: A unified approach combining European Union (EU) regulations and international standards offers a robust framework for conducting DPIAs in medical devices. This integration balances security, innovation, and privacy, enhancing compliance and fostering trust in medical technologies. The study advocates for leveraging both hard law and standards to systematically address privacy and safety in the design and operation of medical devices, thereby raising the maturity of the MedTech ecosystem.