10 Ways GDPR Will Affect Engineers, Part 1

Jul 20, 2018

by Agam Shah Associate Editor at Mechanical Engineering magazine

Change can be difficult, but sometimes necessary, especially if the impact has wide-ranging potential. Engineering companies are finding that out now as they scramble to comply with GDPR (General Data Protection Rule), a European Union regulation passed in May that gives users more control over their personal data, and how organizations use it.

Under GDPR regulation, EU citizens have a right to know how their personal data is being used, and the "right to be forgotten" by asking companies to remove their personal data. Companies also need to seek user consent before collecting personal data to ensure their data won’t be abused.

18th Annual Cybersecurity Symposium on the campus of U.N.C. Charlotte in October of 2017. Image: Womble Bond Dickinson

GDPR impacts the engineering of products to varying degrees, mostly depending on how much personal data is collected by companies. The regulation especially affects medical-device makers, which can't operate without personal information like health readings. The impact is less on some manufacturing sectors, where historically personal data collected has been relatively limited mostly to employees and contacts at customers and suppliers.

The regulation forces the reexamination of device design, how sensors collect data, and business operations, even if you have only one client in the EU. Safeguards need to be in place or companies risk a massive EU fine. Here are some ways GDPR will impact engineers.

For You: IoT Puts New Spin on Old Product

1) Device Design Changes

GDPR requirements are legal, but there are device design implications as the regulation digs into functional requirements of a system. The regulation requires data protection by default and design, which is a big consideration when engineering devices.

"Simply put, this requires developers to think about potential risks and harms their personal data driven system poses, and to embed technical and organizational safeguards in the technology, to protect the data subjects’ rights from the start," says Lachlan Urquhart, lecturer in technology law at the University of Edinburgh.

2) New Device Considerations

The impact of GDPR can be significant depending on the information control and transport. Medical devices requiring cache personal information, such as name, age, and weight, within the data storage of the device itself, will need to be audited as changes to the software may be required. These may include new routines to remove the records when required by the new legislation, says John Turner, software engineering manager at medical device maker Starfish Medical.

"With the right software design, accounting for the control and limiting the flow of personal information into and out of medical devices, the new standards may have minor to no design impacts," Turner says.

Starfish has work instructions to include the ability to remove patient history. “Typically this is the opposite of current practice for most connected devices,” Turner says. “Patient history provides information that help diagnose and treat most diseases and medical conditions.”

3) Privacy and Safety by Design

Organizations need to consider the privacy implications of a project at the outset and build in compliant processes from the start. Privacy impact assessments also need to be carried out where required by law, says Caroline Churchill, a partner, and Orla O'Hannaidh, an associate, at transatlantic law firm Womble Bond Dickinson.

"The most significant challenge from our perspective, particularly for the manufacturing and construction industry, is the culture change that is likely to be needed," the lawyers state.

Technologies, like sensors that are used to collect data, including personal information, for more efficient manufacturing operations, need to have privacy assessments at the forefront.

The "privacy by design" requirements under the GDPR make it imperative "that manufacturing, construction and healthcare industries integrate data protection measures from the beginning of the engineering process, and continue to maintain and develop such measures on an ongoing basis," according to the lawyers.

See Part 2 to learn more about how GDPR will effect engineers.

Read More:
Drinking the Desert Air
Technology Brings Clean Water and Nutrition to Central America
New Process Embeds Coded Data on 3D-Printed Parts

The most significant challenge from our perspective, particularly for the manufacturing and construction industry, is the culture change that is likely to be needed. Statement from Caroline Churchill and Orla O'Hannaidh, Womble Bond Dickinson