How to handle conflict between 21 CFR Part 11 and GDPR

Data integrity of privacy?

European Union's life science manufacturers that export pharmaceutical or medical device products to the United States are required to comply with GDPR and 21 CFR Part 11 compliance at the same time. The statutory requirements give rise to a slightly conflicting situation as the 21 CFR Part 11 demands data integrity, whereas GDPR requires personal data privacy.

21 CFR Part11

• • As per § 11.10(b) -The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
  • As per § 11.10(c) - Protection of records to enable their accurate and ready retrieval throughout the records retention period.

General Data Protection Regulation

• • Regulations (65) - A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given 4.5.2016 L 119/12 Official Journal of the European Union EN his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child.
    
    

    However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defense of legal claims.

What accounts for personal data?

Any data that is associated with a living person is personal data. That means signatures specimens or electronic signatures, name, designation, entry times and exit times in a premises, is personal data of the employee working in the life-science organizations.

What is the record retention period to comply with 21 CFR Part 11?

FDA believes that retention period for a given record will generally be established by the regulation that requires the record. For example, according to 21 CFR 211.180 batch record retention period for production, control, or distribution is as below:

• Until one year after the expiration of batch
• Until three years after distribution of the last lot of OTC drug product that is exempt from expiration dating under § 211.137
• The same data retention period is also applicable to all components, drug product containers, closures, and labelings used in the manufacturing process.

Where the regulations do not specify a given time, the agency would expect firms to establish their own retention periods. Regardless of the basis for the retention period, FDA believes that the requirement that a given electronic record be protected to permit it to be accurately and readily retrieved for as long as it is kept is reasonable and necessary.

When does the Conflicting Situation arise?

If an employee resigns from the organization and asks ‘to be forgotten’,then the GDPR may require the organization to delete all personal data made available by the employee.

In above case, if the organization is using a 21 CFR Part 11 compliant e-QMS that fulfills the statutory requirements for maintaining the employee’s QMS activities and competence record (eg. 21 CFR 211.25), then deleting the personal data may conflict with the requirements of 21 CFR Part 11.10(b) and 21 CFR Part 11.10(c) as stated earlier.

What do our Experts Say?

We asked our experts Yves Dène (Knowledge Manager, QbD) and Neeru Bakshi (QA Manager, Scilife) about what strategy they recommend under different possibilities of conflicting situations.

Yves Dène

Knowledge Manager, QbD

Yves primarily identifies three possible conflicting situation-based cases:

First Case:
Employee actions related to Quality Assurance

Example:
Signing documents because of the employee involvement in Events and CAPA’s etc. in e-QMS like Scilife.

Analysis:
Quality Assurance actions fall under the employer-employee contract but not under the GDPR. For example, if the audit trail captures changes made to a document status, then there is no issue that this information is kept even after the employee leaves the company. The same goes for Signature information.

Second Case:
Patient data in the system

Example:
Complaint or adverse reaction data related to a patient is kept in QMS

Analysis:
If patient data is kept in the Quality Management System (QMS), then the company should use a risk based approach to remove all related data, if the patient asks to ‘be forgotten’ as described in GDPR

Third Case:
Competences and CVs of employees

Example:
Ex-employee data in the Scilife's Competence module

Analysis:
The way Scilife handles it at the moment, it does not pose a challenge to comply with 21 CFR Part 11 but may be a challenge from GDPR perspective.

Yves says that,

“If the data is to be deleted because of the GDPR reasons, then as a best practice, I always advise my clients to mention the ‘GDPR reasons for deletion’ in the audit trail.”

Neeru Bakshi

QA Manager, Scilife

Our QA Manager, Neeru Bakshi says that

“Both regulations require data to be retained as long as it is reasonable and lawful. Organizations must establish procedural controls to define what is lawful for them to retain data beyond the period it is not in use or processed.“

Neeru advises the organizations to implement following policies for procedural control:

• • Data Storage/Collection Policy to define the categories of Electronic Record (as per predicate rule) and Personal Data (as per GDPR) with purpose.
  • Retention Policy to define retention period for Electronic Record and Personal Data and measures for archival or deletion of data or details to render data as non-identifiable.

Additionally, Neeru advises the organizations to maintain an inventory of electronic data and personal data for periodic examination. The inventory should capture following information:

• • Purpose of retention
  • The method of data collection (software or manual method)
  • Retention period
  • Security measures applied for encryption and access permissions to data
    Information if shared with external/third parties and the basis for the same

Conclusion

There could be several ways by which organizations can manage to meet 21 CFR Part 11 compliance and GDPR compliance at the same time. As our experts mention organizations can utilize a risk-based approach and procedural controls to justify the changes wherever applicable. We hope the expert views are helpful to you to take up the next steps. If you have any specific questions, you can always reach out to us to discover how a Smart QMS can help you overcome the challenge. We will always be happy to find out the best possible solution to you.