Understanding GMP Data Integrity IT Requirements

How to bring your network and data into compliance with the Good Manufacturing Practice Data Integrity regulations


In 2015, the Medicines & Healthcare Regulatory Agency published a Good Manufacturing Practice (GMP) Data Integrity Expectations for the pharmaceutical industry which ensures that medicine produced are of safe quality. This guidance complements existing EU GMP Guidance and should be read in conjunction with national medicines legislation and the GMP standards.

The MHRA GMP Data Integrity Definitions and Guidance is designed to emphasize the importance of data governance. Considerations such as organizational procedures and computer access controls should be top of mind.

Key IT Requirements

The following is a table containing sections of the expectations and an explanation describing how Varonis solutions can help manage the unstructured and semi-structured data on your organization’s servers.

Requirement Description Varonis Product/Feature
Data Data must be:A – attributable to the person generating the dataL – legible and permanentC – contemporaneousO – original record (or ‘true copy’)A – accurate In order to assure data quality and integrity (accuracy, completeness, content and meaning): it must have a clear understanding of where data is stored, who owns it, who is responsible for it and who is authorized to use it.Varonis DatAdvantage monitors and stores in a searchable format, all aspects of data use for information stored on file servers and Network Attached Storage (NAS) devices. Varonis provides a detailed record of monitored resources’ contents and how they are used including: directory structure and file system permissions (i.e. a user’s or groups NTFS permissions), data use by username of group name (i.e. create, open, delete, rename), allows to build a list of possible data owners based on usage and other parameters.
Raw data Raw data must:Be legible and accessible throughout the data lifecycle.Permit the full reconstruction of the activities resulting in the generation of the data In order to reconstruct the activities resulting in the generation of data, you’ll need DatAdvantage. It provides data owners with detailed reports, including: data usage (i.e. every user’s every file-system object interaction), user activity on sensitive data, permission changes that affect the access of a given file or folder, a detailed record of permission revocations including the users and the data for which permissions were revoked.
Data Integrity Data integrity arrangements must ensure that the accuracy, completeness, content and meaning of data is retained throughout the data lifecycle. Varonis ensures the accuracy, completeness, content and meaning of data is retained throughout the data lifecycle in a number of ways: Varonis DatAdvantage monitors every user’s file-system object interaction – whenever a file is modified, who did it and when – and stores in a searchable format, all aspects of data use for information stored on file servers and Network Attached Storage (NAS) devices. Varonis DatAlert can alert when in real time when inappropriate activities take place (changes made outside change control windows, unauthorized access etc.) With DatAnywhere, a secure, enterprise-class private cloud, you can give your users file synchronization and access (including mobile) without changing your IT infrastructure, without moving your data, and without reconfiguring permissions. Regardless of the user’s device or location each file is always the definitive copy. Maintain data integrity when it is transmitted digitally by implementing Varonis Data Transport Engine and move data securely between systems while preserving permissions. Data can be migrated across domains and across platforms without adversely impacting access controls. Data Transport Engine can also detect when sensitive content has been placed in an unsecure location and automatically quarantine the data to prevent unauthorized access.
Data governance Data governance should address data ownership throughout the lifecycle, and consider the design, operation and monitoring of processes / systems in order to comply with the principles of data integrity including control over intentional and unintentional changes to information.Data Governance systems should include staff training in the importance of data integrity principles and the creation of a working environment that encourages an open reporting culture for errors, omissions and aberrant results.Senior management is responsible for the implementation of systems and procedures to minimise the potential risk to data integrity, and for identifying the residual risk, using the principles of ICH Q9. Contract Givers should perform a similar review as part of their vendor assurance programme. Data governance The Varonis IDU Classification Framework and Varonis DatAdvantage help identify files containing personal information, determine who has access to it, who is using it, and who should be responsible (data owners). Varonis DataPrivilege helps organizations not only define the policies that govern who can access, and who can grant access to unstructured data, but it also enforces the workflow and the desired action to be taken (i.e. allow, deny, allow for a certain time period). This has a two-fold effect on the consistent and broad communication of the access policy: it unites all of the parties responsible including data owners, auditors, data users and IT around the same set of information and it allows organizations to continually monitor the access framework in order to make changes and optimize both for compliance and for continuous enforcement of warranted access.AccessVaronis DatAdvantage recommends the revocation of permissions to data for those users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege. DatAdvantage generates reports showing the history of permission revocations and the percentages by which overly permissive access was reduced. Varonis DataPrivilege provides a mechanism via a web-based application by which to monitor, administer (allow/deny) all access requests to unstructured data.Data Breaches and MonitoringVaronis DatAlert provides real-time alerting based on file activity, Active Directory changes, permissions changes, and other events. Alert criteria and output are easily configurable so that the right people and systems can be notified about the right things, at the right times in the right ways. DatAlert improves your ability to detect possible security breaches, and misconfigurations.
Data Lifecycle The procedures for destruction of data should consider data criticality and legislative retention requirements. Archival arrangements should be in place for long term retention (in some cases, periods up to 30 years) for records such as batch documents, marketing authorisation application data, traceability data for human-derived starting materials (not an exhaustive list). Additionally, at least 2 years of data must be retrievable in a timely manner for the purposes of regulatory inspection. Data RetentionVaronis DTE provides the flexibility to configure complete end-to-end migration rules: define source criteria based on path, and/or content, classification rule, Varonis ownership and follow-up (flag/ tag) criteria, define destination path, folder, and permissions translation, and when the migration will take place. The ability to configure these rules allow for the rapid and safe execution of complex data migrations, and to easily implement and enforce policies for data retention and location based on content, accessibility, and activity.

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767