Happy New Year everybody – may your transition to the MDR and IVDR be unproblematic and timely.
May your management be convinced that making and selling medical devices is actually core business of the company and dedicate sufficient resources to your transition project.
Halfway point of MDR transition
2018 is the year in which we will see the halfway point of the MDR transitional period pass – if your company is not seriously working on transition, it risks serious disruptions in it EU business as of May 2020.
“But Erik, you start to sound like a broken record – we still have until 2024 under the soft transition.”
Well, yes: if you don’t mind that your device design is completely frozen after 2020 and you cannot change notified body or crucial supplier / subcontractors anymore. Only do this for non-essential devices or if you have no other options.
You will be captive to your crucial suppliers and notified body during that period. You won’t be able to significantly change the design of your device (e.g. when necessary as a CAPA). ‘Don’t postpone until tomorrow what you can do today’, my late grandmother would always say. She would tell you to be ready for the MDR sooner than later.
Are you with the notified body that you trust to have your back for certification of your devices under the MDR? Remember – no grandfathering – all devices on the EU market have to be recertified. Will the notified body be able to issue CE certificates under the MDR in time? It will be your problem if they are not and this may lead to significant business disruptions in the EU market. These are questions you should have answered last year already.
General Data Protection Regulation
2018 is the year in which the transition period of the GDPR ends (end of May) and all manufacturers must have implemented the new rules in the design of their devices, systems and software. This means among other things that risk management under the MDR and IVDR must be tied into cybersecurity measures under the GDPR. Medical devices IT design will have to cooperate with privacy compliance from the start of development of medical devices and related infrastructure. In a time of Meltdown and Spectre vulnerabilities going to the very core of your off the shelf components, how do you control your suppliers on these points? With cybersecurity more and more relevant, suppliers of off the shelf IT components may become crucial suppliers. You do not want to be the first medical devices company with a major data breach when the GDPR is applicable. And you should preferably not manage it like Uber did. The GDPR will really change a lot for medical devices companies.
Are you selling a medical devices company in 2018?
If you are selling a medical devices company in 2018 you should realize that the MDR and GDPR are your problem, even if you sell the company now.
The first thing that a buyer will look at in due diligence as gating items for EU compliance are a realistic MDR transition plan and readiness for the GDPR by May this year.
Prepare to have the sale price be discounted significantly or large parts of it deferred on the condition of MDR certification or GDPR readiness if your company has neither because in that case the regulatory risks are more than considerable.
It will be interesting
My prediction for 2018 is that we will start to see the first signs of companies realizing that they haven’t started in time and/or are not going to be ready in time, either because of their own planning or dependencies related e.g. to their notified body that will not be ready in time itself to process all the applications for conformity assessment under the MDR. It will be the year of early plan Bs and all the moving and shaking concerned with that.
The IVDR is still two years out, but IVD companies should be working on their (clinical) performance data like it’s 1999 because they risk running into the same issues, and they have the additional complexity that the notified body bottle neck will be even worse for the IVDR.
Also, 2018 will have the first big medical devices company data protection issue under the GDPR. Better make sure it’s not you.