Compliance Amid Conflicts: How to Meet 21 CFR part 11 and GDPR Requirements

SaaS companies–like SciCord–that operate in the pharmaceutical, food services, or medical devices industries must comply with part 11 of section 21 of the US Code of Federal Regulations (CFR), which focuses on limiting data access and safeguarding data integrity. Specifically, Part 11 addresses how data can be reliably recorded and submitted electronically and remain authentic, valid, and protected from unauthorized users. Defining and explaining compliance details for 21 CFR part 11 is beyond the scope of this article, but you can find details here.

Additionally, many of those companies must also meet the requirements of the European Union’s General Data Protection Regulation (GDPR), which became law in 2018. Unfortunately, significant numbers of SaaS providers located outside the EU are confused about–or unaware of–how the GDPR applies to them. They also don’t understand that, while largely compatible pieces of regulation, the two documents sometimes conflict. This article explains the relatively new GDPR, notes how it affects companies outside the EU, addresses times when the two laws conflict, and suggests means to provide compliance amid conflicts.


What is the GDPR, and what does it require?

The GDPR is a mammoth piece of legislation with a far-reaching scope that applies to companies of all sizes. Therefore, SaaS providers in the EU and elsewhere need to understand these significant provisions of the legislation:
Data protection is the paramount issue that the GDPR addresses.

The regulation requires that companies use a purposeful and systematic approach to personal data protection. Firms are expected to provide “protection by design” and to install someone in their company as a data protection officer, at least unofficially. Article 5 of the law sets out 7 data processing principles for firms to follow. To comply with GDPR, firms must:

1. Process data purposefully, lawfully, and fairly.
2. Collect data for a specific and legitimate purpose.
3. Limit data collection to what is necessary and relevant.
4. Gather accurate data and update it when necessary.
5. Store personal data only for as long as needed.
6. Process data securely.
7. Provide accountability for all its data collection and processing activities.



Furthermore, the GDPR defines personal data very broadly. “Personal data” certainly includes any data that directly or indirectly identifies the individual; it can also apply to pseudonymous information if those details make it “relatively easy” to identify someone.

The GDPR reaches well beyond the physical boundaries of the EU.

The GDPR applies to international companies that collect data from citizens in any EU member state. According to gdpr.eu, “it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.” Yes, that’s anywhere in the world. So, every firm that collects data from EU citizens falls under the jurisdiction of this law, even if they are located outside the EU.

The GDPR imposes very stiff penalties on violators.

We cite the gdpr.eu website again: “The fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher)”. Additionally, the law stipulates that people whose data was breached have the right to seek compensation for damages.

Obviously, the stakes are high. With the GDPR law, the EU signaled its intent to penalize companies that failed to provide data privacy.

The GDPR sets out very specific rights for consumers.

Given its purpose to provide EU citizens with data protection, the GDPR lays out several specific rights granted to consumers. These include:

    • Obtaining explicit consent from users before their data is collected. Examples of how companies provide this notification include opt-ins and checkboxes stating that users agree to the provider’s data usage terms (which appear in another link.)
    • Notifying data security officials of any data breach within 72 hours from when it is discovered. The GDPR acknowledges that data breaches will occur but puts the onus on companies to swiftly identify the problem, communicate the consequences of the breach, and suggest measures to mitigate its impacts.
SciCord is designed with Security in mind

    • Giving users the right to access their data. Consumers who provide information have the right to access it easily. Companies that collected it must provide the information electronically within a one-month window and must not charge consumers for doing so.
    • Ensuring consumers the right to erasure (to be forgotten). With only a few exceptions, consumers have the “right to be forgotten.” Companies must remove all of their personal data. Third-party services also need to stop processing the data.

When does the GDPR conflict with 21 CFR part 11?

Conflict areas between the GDPR and 21 CFR part 11 focus on the user’s right to be notified when personal data is collected and the company’s right to retain the data.

User notification of data collection

The GDPR mandates that users grant explicit consent before their data is collected; 21 CFR part 11 focuses on data integrity and highlights the importance of an audit trail. What if someone associated with a SaaS provider’s client accesses a website that gathers–without explicit consent–personal information via cookies that are then processed by 3rd-party services? This practice clearly violates the GDPR. Conversely, 21 CFR part 11 may condone the action as long as the individual followed GLP (Good Lab Practices) and provided an audit trail.

At a minimum, the regulations appear to provide ample opportunities for conflict.

Data retention to protect data integrity vs. the right to be forgotten

21 CFR part 11 views data retention as integral to data security and details how long data must be retained. Batch retention guidelines provide a concrete example. 21 CFR part 11 directs that data related to a batch be kept for one year after the expiration of the batch. Information about batches of OTC drugs without an expiration date is to be kept for 3 years after the last of the batch is distributed. These retention periods also apply to components, containers, and labels associated with the batch.

Obviously, these retention guidelines in 21 CFR part 11 contain some ambiguity. The possible conflict arises when someone associated with the batch wants his or her personal data erased. GDPR grants the “right to be forgotten” unless the data falls within some narrow constraints. How does a responsible SaaS provider reconcile this conflict?

How should you–as a SaaS provider–ensure compliance amid conflicts between GDPR and 21 CFR part 11?

First of all, you should assume that the GDPR applies to you, even if you are a small company that doesn’t currently service any EU countries. The probability is extremely high that you will eventually serve a client with some connection to an EU citizen since you provide something as universal and transmittable as software. Waiting until you’re sure that GDPR applies to you is courting difficulties that could result in substantial financial penalties.

Second, you should prioritize GDPR compliance equally with 21 CFR part 11. If this seems like overkill, consider the possible ramifications of noncompliance. The scope, reach, and penalties associated with GDPR are too significant to ignore.

Specifically, your company should:

Know what both regulations require.

Understanding the rules is always a good idea, so know what GDPR and 21 CFR say–and how they could conflict. Then, carefully study the sections that contain ambiguous wording that permits subjective interpretation on a case-by-case basis. Much of the conflict lies in these areas–especially in the GDPR.

Task a specific person to facilitate compliance.

Assign someone the task of controlling the data. The GDPR logically calls this person a “data controller” and defines the role as the person in the organization who decides how and when personal information is gathered and processed. If GDPR compliance issues arise, the data controller becomes your firm’s pivotal person and the first line of defense.



Two important things to note here are: 1) by default, the owner or employee who handles the data fills the data controller role if the job is not explicitly assigned, and 2) special rules in the GDPR apply to individuals or organizations like cloud servers that process the information.

Follow the example of companies that already demonstrate skill in this area.

LinkedIn, Twitter, Dropbox, and others have implemented tactics to help meet GDPR data collection and processing requirements. Learn from them.

Even better, research what other SaaS providers that service clients under the jurisdiction of 21 CFR part 11 are doing to ensure compliance amid possible conflict. Their example could steer you away from dangerous waters.

Document everything.

Start with written SOPs, data security protocols, and a means to validate how and when resources were used. For GDPR compliance, provide an audit trail of how, when, and by what means personal data was collected. Verify that all users provide explicit consent before their data is collected.

SciCord ELN/LIMS

SciCord’s ELN/LIMS combines the advantages of an ELN with the systemic benefits of a LIMS to integrate detailed record-keeping, meticulous data control, and a complete audit trail.

Contact us to learn more about how the SciCord ELN/LIMS can help you meet the requirements of GDPR and 21 CFR part 11.

All of these features help you enforce your organization’s policies and compliance commitments. They also indicate that the SciCord ELN/LIMS is designed fully compliant with CFR 21 Part 11, has passed FDA audits, and is suitable for GxP use.