Data integrity: 5 ways to be GxP compliant

#Data integrity: 5 ways to be GxP compliant

Are you always ready to be inspected for your (GxP) activities in your facility? Is compliance and data integrity implemented firmly in your QMS? Are the systems in your (GxP) area constantly in a validated state? Are all your colleagues trained according to the required standards? And how about the Data Integrity (DI)?

It’s evident that you should always be ready for a(n) (un)planned internal/external inspection. Preparations for these external audits can be done by planning internal ones to ensure that both compliance and performance are controlled and corrective actions can be taken at an early stage. This way you and your colleagues are all prepared to face to the inspectorate as they make their way through your facility and documentation.

Although there are various types of audits and inspections, there is a trend that shows the inspectorate is focusing increasingly on data governance and data integrity.

So, what do we mean when we mention data integrity? Most usually it refers to the ALCOA+ principles, a commonly used acronym for:






It puts an additional emphasis on the attributes of being complete, consistent, enduring and available (implicit basic ALCOA principles).

Data integrity standards are met if the degree to which a collection of data is complete, consistent, traceable and accurate. The data is considered to be integer assuring that the accuracy and consistency of data over its entire life-cycle are always guaranteed.

If your data falls short of these standards (after an inspection or gap assessment), you have encountered a data integrity issue; an action or event that could cause, or is evidence of false, misleading, inaccurate, or incomplete data and/or documentation.

You really don’t want this to happen and should always try to be avoided regardless of the costs. These issues have serious consequences for your facility, compromising your company’s legal status/leaving you vulnerable to lawsuits. Government agencies actively conduct audits on this topic and enact fines.

Data integrity and compliance are entangled to such an extent that good data integrity management has become an important component of the pharmaceutical industry’s responsibility. It’s being integrated in the legal framework to ensure patient safety and also the efficacy and quality of medicines. Because of this, it should be firmly embedded in your QMS and all people involved should be trained accordingly.

Setting up a basic QMS is a vital first step and the basis of a company’s assurance that it delivers what it promises. The main challenge here is to keep it up to date at all times. As a fundamental part of the QMS, data integrity needs to be documented properly in it and follow the ALCOA+ principles.


Data can be classified by its level of sensitivity, value, and criticality regarding your facility. This classification of your data will help you to determine baseline security controls for the protection of your data. For example, confidential data is a generalized term that typically represents data classified as restricted to authorized persons only. This term is often used interchangeably with sensitive data. The way that your company classifies data should be documented in the QMS.


Keep in mind that all your activities regarding data handling in a controlled data lifecycle environment must cover the following aspects:

  • Creation or recording of GxP information
  • Collecting, processing and transferring data
  • Data use, reporting, replicating, and distribution
  • Data retention (including archiving), backup, restoration, obsoleting, and retirement

This list above for data management and GxP records is applicable to all personnel involved in e.g. research, design and development, sourcing, production, testing, retention, shipping, distribution, installation, service, marketing, and post-market surveillance of any pharmaceutical product.

All activities performed within above-mentioned aspects need to traceable. You always need to be able to reconstruct a complete roadmap of a drug or medical device’s history and you’re accountable to be able to resolve who has contributed what to which activity where and when.


Working with a computerized system in a controlled environment forces you to have access controls for systems and audit trails in systems (technical measures) in place. This is to ensure that only authorized people can log in with their credentials using only the role(s) there have been assigned. This role is assigned based on personal training and a level of activities to be performed in the system. To ensure access can be granted correctly, appropriate policies, procedures, and controls need to be in place (in the QMS) to remain compliant with the applicable legal requirements.

Once logged into the system, the software should have an up to date audit trail which is basically a chronological record of activities performed in the system. It’s considered sufficient when you’re able to reconstruct, review, and examine the sequence of activities surrounding or leading to each event from inception to the final output.

On a regular basis, an audit trail review needs to be performed. So, what does that mean for your facility? You need to arrange for a periodic assessment that should include a sample of relevant audit trails, raw data, and metadata as part of self-inspection to ensure on-going compliance with relevant policies and procedures. The way of performing the assessment should be written down in a work instruction which is maintained in the QMS.


In the pharmaceutical industry, training of all personnel is key, so an understanding of data integrity principles and issues should be included. If your personnel is trained adequately, they’ll be able to identify possible data integrity issues while performing their own assigned tasks and duties; use this to your advantage. Like everything else, these training sessions are recorded in a training record and consequently stored correctly and can be presented to the inspectorate if necessary.


Ideally, you should have a stable situation in your facility where a complete QMS, containing work procedures, describes and guides all your processes. By having this QMS in place, trained personnel create various integer deliverables according to predefined processes. And the inspection should only be a confirmation of this.

Obviously, nobody’s perfect and probably no QMS is either. With this in mind, it’s encouraged to demonstrate that you have remedied possible data integrity issues by hiring a third-party auditor to determine the scope of the problem and by implementing a corrective action plan. This yields extra confidence that you are proactively closing gaps in processes related to your facility, equipment, personnel or procedures.

Consider this take away message for your daily agendas:

Look at inspections and inspection results. Frequently, deficiencies relating to data integrity are the ones leading to GxP Non-Compliance. Subsequently, data integrity is not only an IT topic; it includes all handling of information in GxP environments. Every change to data has to be initialed and dated by an authorized person, the reason for change need to be crisp. The original data has to stay legible despite all changes performed, this for paper documentation and electronic records.

Feel free to contact us to with any other questions on data integrity or have a look at one of our other blogs on the topic.

Blog by: Ton de Ridder

Subscribe to newsletter