SaaS companies–like SciCord–that operate in the pharmaceutical, food services, or medical devices industries must comply with part 11 of section 21 of the US Code of Federal Regulations (CFR), which focuses on limiting data access and safeguarding data integrity. Specifically, Part 11 addresses how data can be reliably recorded and submitted electronically and remain authentic, valid, and protected from unauthorized users. Defining and explaining compliance details for 21 CFR part 11 is beyond the scope of this article, but you can find details here.
The GDPR is a mammoth piece of legislation with a far-reaching scope that applies to companies of all sizes. Therefore, SaaS providers in the EU and elsewhere need to understand these significant provisions of the legislation:
Data protection is the paramount issue that the GDPR addresses.
1. Process data purposefully, lawfully, and fairly.
2. Collect data for a specific and legitimate purpose.
3. Limit data collection to what is necessary and relevant.
4. Gather accurate data and update it when necessary.
5. Store personal data only for as long as needed.
6. Process data securely.
7. Provide accountability for all its data collection and processing activities.
The GDPR applies to international companies that collect data from citizens in any EU member state. According to gdpr.eu, “it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.” Yes, that’s anywhere in the world. So, every firm that collects data from EU citizens falls under the jurisdiction of this law, even if they are located outside the EU.
We cite the gdpr.eu website again: “The fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher)”. Additionally, the law stipulates that people whose data was breached have the right to seek compensation for damages.
Obviously, the stakes are high. With the GDPR law, the EU signaled its intent to penalize companies that failed to provide data privacy.
Given its purpose to provide EU citizens with data protection, the GDPR lays out several specific rights granted to consumers. These include:
Conflict areas between the GDPR and 21 CFR part 11 focus on the user’s right to be notified when personal data is collected and the company’s right to retain the data.
The GDPR mandates that users grant explicit consent before their data is collected; 21 CFR part 11 focuses on data integrity and highlights the importance of an audit trail. What if someone associated with a SaaS provider’s client accesses a website that gathers–without explicit consent–personal information via cookies that are then processed by 3rd-party services? This practice clearly violates the GDPR. Conversely, 21 CFR part 11 may condone the action as long as the individual followed GLP (Good Lab Practices) and provided an audit trail.
At a minimum, the regulations appear to provide ample opportunities for conflict.
21 CFR part 11 views data retention as integral to data security and details how long data must be retained. Batch retention guidelines provide a concrete example. 21 CFR part 11 directs that data related to a batch be kept for one year after the expiration of the batch. Information about batches of OTC drugs without an expiration date is to be kept for 3 years after the last of the batch is distributed. These retention periods also apply to components, containers, and labels associated with the batch.
Obviously, these retention guidelines in 21 CFR part 11 contain some ambiguity. The possible conflict arises when someone associated with the batch wants his or her personal data erased. GDPR grants the “right to be forgotten” unless the data falls within some narrow constraints. How does a responsible SaaS provider reconcile this conflict?
First of all, you should assume that the GDPR applies to you, even if you are a small company that doesn’t currently service any EU countries. The probability is extremely high that you will eventually serve a client with some connection to an EU citizen since you provide something as universal and transmittable as software. Waiting until you’re sure that GDPR applies to you is courting difficulties that could result in substantial financial penalties.
Second, you should prioritize GDPR compliance equally with 21 CFR part 11. If this seems like overkill, consider the possible ramifications of noncompliance. The scope, reach, and penalties associated with GDPR are too significant to ignore.
Specifically, your company should:
Understanding the rules is always a good idea, so know what GDPR and 21 CFR say–and how they could conflict. Then, carefully study the sections that contain ambiguous wording that permits subjective interpretation on a case-by-case basis. Much of the conflict lies in these areas–especially in the GDPR.
Assign someone the task of controlling the data. The GDPR logically calls this person a “data controller” and defines the role as the person in the organization who decides how and when personal information is gathered and processed. If GDPR compliance issues arise, the data controller becomes your firm’s pivotal person and the first line of defense.
Two important things to note here are: 1) by default, the owner or employee who handles the data fills the data controller role if the job is not explicitly assigned, and 2) special rules in the GDPR apply to individuals or organizations like cloud servers that process the information.
LinkedIn, Twitter, Dropbox, and others have implemented tactics to help meet GDPR data collection and processing requirements. Learn from them.
Even better, research what other SaaS providers that service clients under the jurisdiction of 21 CFR part 11 are doing to ensure compliance amid possible conflict. Their example could steer you away from dangerous waters.
Start with written SOPs, data security protocols, and a means to validate how and when resources were used. For GDPR compliance, provide an audit trail of how, when, and by what means personal data was collected. Verify that all users provide explicit consent before their data is collected.
SciCord’s ELN/LIMS combines the advantages of an ELN with the systemic benefits of a LIMS to integrate detailed record-keeping, meticulous data control, and a complete audit trail.
Contact us to learn more about how the SciCord ELN/LIMS can help you meet the requirements of GDPR and 21 CFR part 11.
All of these features help you enforce your organization’s policies and compliance commitments. They also indicate that the SciCord ELN/LIMS is designed fully compliant with CFR 21 Part 11, has passed FDA audits, and is suitable for GxP use.