Top tips for maximising opportunities at London Life Sciences Week
Find out more
Drugmakers fined in Turkey over no-poach agreement and information sharing
Find out more
How the Medical Device Regulations will impact manufacturers’ processing of personal data
The way medical devices are regulated in Great Britain has changed significantly with the introduction of the Medical Devices (Post-market Surveillance Requirements) (Amendment) (Great Britain) Regulations 2024. These new rules, which took effect on 16 June 2025, are designed to ensure that manufacturers actively monitor the safety and performance of their devices once they are on the market. While the focus is on patient safety, these changes also have important implications for how manufacturers handle personal data.
What’s changing for manufacturers?
Under the new regulations, manufacturers must actively collect and analyse real-world data about how their devices perform. This includes gathering information about incidents, side effects, complaints, and user experiences. The aim is to spot potential safety issues earlier and take action to protect patients and the public.
Manufacturers are now required to:
- Set up robust systems to monitor devices after they are sold or put into use.
- Collect comprehensive data on device performance, including feedback from users and reports of incidents.
- Take preventative or corrective action if it identifies a risk that might compromise the performance or safety of the device or has reason to believe that the device does not conform to relevant requirements.
- Report serious incidents more quickly.
- Prepare regular reports summarising safety and performance data, and provide these to regulators on request.
Why does this matter for data protection?
Much of the information manufacturers must collect under the new rules will relate to individual patients, healthcare professionals, or users of the devices. This can include details of adverse events, complaints, or device malfunctions that involve identifiable people. In many cases, this information will be considered personal data, and sometimes even special category personal data.
Processing this kind of data brings with it strict legal responsibilities. Manufacturers must ensure that they collect, store, use, and share personal data in a way that complies with data protection laws, such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (in each case as recently amended by the Data (Use and Access) Act 2025).
Key data protection considerations
- Lawful Basis for Processing - Manufacturers must have a clear legal reason for processing personal data. The new regulations require manufacturers to monitor device safety, which can provide a strong justification. However, when dealing with health data, manufacturers must also meet additional requirements, as this is considered a special category of data.
- Transparency - Individuals whose data is being collected must be informed about what data is being gathered, why it is needed, how it will be used, and who it will be shared with. This means updating privacy notices and ensuring clear communication with patients, healthcare professionals, and other users.
- Data Minimisation - Only data that is necessary for monitoring device safety and performance should be collected. Manufacturers should avoid gathering more information than needed, and ensure that data is relevant and up to date.
- Security - With the increase in data collection, there is a greater responsibility to keep personal data secure. Manufacturers must have appropriate technical and organisational measures in place to protect data from loss, theft, or unauthorised access.
- Retention and Deletion - The new regulations specify how long manufacturers must keep post-market surveillance records — up to 15 years for implantable devices and 10 years for other devices. Manufacturers must ensure that personal data is not kept for longer than necessary and is securely deleted when no longer needed.
- Responding to Data Requests - Individuals have rights over their personal data, including the right to access it or request its deletion. Manufacturers need to have processes in place to respond to these requests, even when the data is collected for regulatory purposes.
- Sharing Data with Authorities - The new rules require manufacturers to share certain reports and information with the Medicines and Healthcare Products Regulatory Agency, sometimes within tight deadlines. When doing so, manufacturers must ensure that any personal data shared is handled securely and only disclosed to those who need it.
Practical steps for manufacturers
To comply with both the new regulations and UK data protection laws, manufacturers should:
- Review and update their data protection policies and privacy notices.
- Train staff on the importance of data protection in post-market surveillance activities.
- Ensure systems for collecting and storing data are secure and fit for purpose.
- Regularly review what data is being collected and why, to ensure it remains necessary and proportionate.
- Establish clear procedures for responding to data subject requests and for sharing information with regulators.
Conclusion
The new post-market surveillance regulations are a positive step for patient safety, but they also mean that manufacturers will be handling more personal data than ever before. By understanding and addressing their data protection responsibilities, manufacturers can not only comply with the regulations but also build trust with patients, healthcare professionals, users and regulators. Careful planning and robust data protection practices will be essential as the new rules take effect.