This regulation applies to all companies collecting and processing personal data in the EU and does include medical devices. There is NO grandfathering under the GDPR, so in May 2018 all existing systems must be able to meet these requirements. It specifically lists genetic data and biometric data as sensitive personal data. Developers (both medical device and health products that are not regulated as medical devices that collect or process personal data) will be under specific obligations to introduce data protection by design and default into their systems.