SPEAKER’S BIO

Abhishek Agarwal, CIPP/US, Chief Privacy Officer at Baxter

International

Previously, Abhishek has gained experience working at fortune 100

companies such as Kraft Foods, JPMorgan Chase, HSBC, and E&Y

Consulting where he has worked on large Privacy, Information

Security & Risk initiatives like HIPAA, Safe Harbor, EU DPD

Compliance Programs, Global Data Transfers, Identity & Access

Management, Information Risk Assessments, Information Ownership

& Classification, and Vendor Governance and Management.

AGENDA

Overview of Medical Device Privacy Compliance

Key Privacy Compliance Considerations

An Operational Model – Pre & Post Launch

Case Study

Q&A

PRIVACY LAWS IMPACTING MED DEVICES

AT CROSSROADS OF TECH & STANDARDS

Cloud Computing

Mobile Computing

Wireless Technology

Virtualization

Apps online

Digital/

Connected Devices

PRODUCT LIFECYCLE & PRIVACY

Requirements

Technology Process

Assessments

Scope Data Subject Processing

Functions Technical

Controls

Pre-launch Prep

Market Surveys

Data Processing Agreements

Consents/Notifications

Data Governance

At/Post-launch Prep

Filings/Registration Compliance

Governance Consent

Management Breach

Management BAA/DPA

Management

Training – Legal/Marketing

CASE STUDY

A medical device that provides therapies that includes

capabilities including remote patient monitoring.

The device uses advance technologies such as

wireless connectivity, cloud computing and remote

device management.

The device is planned to be launched in 100+ countries.

A privacy operational model that complies countries

regulations in a uniform and cost effective manner.

KEY OPERATIONAL ACTIVITIES

Difficulty of Implementation

L M H

L

H

Le

ve

l o

f P

repa

ratio

n

M

Medium Term Quick Win Long Term

Defined Roles/Responsibilities

Compliance & IT Support Model

Data Privacy and Security Management Process

IT Training/IT Information Packet

Contracts Management

Data Privacy/Security Governance

Training

Country Legal Support Structure

Data Privacy Organization and Talent Strategy

Data Privacy/Security Change Management

Centralized Document Repository

Data Breach Management / Audit Process

Data Security Assessment

Certifications / Frameworks

Data Privacy Newsletter Subscription

1

2

3

4

1 2

4

3

5

6

7

5

6

8

9

9

7

10

10

11

11

12

13

14

12 13

14 15

8

15

16

17

17

Low Priority

18

List of Activities

KEY CHALLENGES

Covered Entity/Controller v/s Business Associate/Processor

Global templates

Data Processing Agreement (Cross Border, Third Party, Data Analytics)

Consent/Notice

Approvals from local Data Protection Authorities (DPA)

Centralized consent management solution

Global data breach management process

Data Governance, Cyber Security

KEY TAKE AWAY

Establish a baseline of privacy and security controls.

Conduct a market survey to understand local country

privacy requirements.

Establish minimum necessary standards of privacy

governance for the global operations – market, legal,

IT.

Be flexible without compromising the compliance.

Q&A & REFERENCES

EU Patients Rights: http://europatientrights.eu/

EU Institute of Innovation and Technology:

https://eit.europa.eu/eit-community/eit-health

US Health IT: https://www.healthit.gov/

Operational Impact of GDPR:

https://iapp.org/resources/article/top-10-operational-impacts-of-

the-gdpr/

US Privacy Shield: https://iapp.org/news/a/the-privacy-shield-

what-u-s-multinational-employers-need-to-know-to-enjoy-the-

benefits-of-the-newest-eu-u-s-data-transfer-mechanism/

HOW DID THINGS GO?

(WE REALLY WANT TO KNOW!)

Did you enjoy this session? Is there anyway we could make it better? Let us know by filling out a

speaker evaluation.

• Start by opening the IAPP Events App.

• Select this session and tap “Click the following link for speaker evaluations.”

• Once you’ve answered all three questions, tap “Done” and you’re all set.

• Thank you!