REGULATORY AND INDUSTRY GUIDANCE ON GxP CLOUD

• DATA PRIVACY

201 CMR 17.00: Standards for the Protection of Personal Information of MA Residents

• Scope: Applies to any person or entity that owns, licenses, stores, or processes personal information of Massachusetts residents
• Relevance:   Requires all organizations—paper, digital, or cloud-based—to maintain a written security program with safeguards to protect data, control access, prevent misuse, and detect/report breaches. 

California Privacy Rights Act, 2020 (CPRA)

• Scope: Governs the collection, use, sharing, and sale of personal information of California residents by for-profit businesses meeting certain revenue or data-processing thresholds.
•  Relevance: Requires covered businesses—digital or cloud-based—to implement safeguards to protect personal data, honor consumer rights, ensure transparency, and enforce access controls, breach notifications, and limits on sensitive data use. 

EU General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679

• Scope: Governs the collection, processing, storage, and transfer of personal data of individuals within the European Union and European Economic Area.
• Relevance: Requires organizations—including those using cloud-based or computerized systems—to implement technical and organizational measures to ensure data privacy, integrity, access control, breach notification, and compliance with data subject rights.

HIPAA Cloud Compliance

• Scope: Protection of electronic Protected Health Information (ePHI) in the cloud.
• Relevance: Mandates encryption, access controls, and BAAs for healthcare providers.

INDUSTRY STANDARDS & FRAMEWORKS

ICH GCP E6 (R3)

• Scope: Guidelines for the design, conduct, and monitoring of clinical trials, focusing on data integrity, patient safety, and quality management.
• Relevance: Modernizes clinical trial practices with a risk-based approach, and addresses the integration of new technologies and patient-centric models in clinical research.

ICH Q9 (Quality Risk Management)

• Scope:  Provides principles and tools for quality risk management applicable to all aspects of pharmaceutical quality throughout the product lifecycle, from development through discontinuation. 
• Relevance:  Facilitates systematic risk identification, assessment, and control across the global pharmaceutical industry.

ISO 9001:2015 (Quality Management Systems)

• Scope: Defines requirements for a quality management system (QMS) applicable to any organization, regardless of size or industry.
• Relevance: Serves as the global standard for establishing consistent processes, continuous improvement, and customer satisfaction, with emphasis on risk-based thinking and documented evidence, including validation of computerized systems that support quality-critical functions. 

ISO 13485:2016 (Medical Devices)

• Scope: Quality management systems for medical device manufacturers.
• Relevance: Ensures cloud infrastructure supports traceability, risk management, and validation for medical device data.

ISO/IEC 27001:2022 (Information Security)

• Scope: Security controls for protecting data in cloud environments.
• Relevance: Aligns with GxP requirements for encryption, access management, and incident response.

ISO/IEC 27017:2015 (Cloud Security)

• Scope: Security controls for cloud service providers and customers.
• Relevance: Ensures GxP data in cloud environments meets GDPR and HIPAA requirements.

ISPE GAMP 5 Guide (2nd Edition)

• Scope: Risk-based lifecycle management of GxP computerized systems.
• Relevance: Addresses cloud infrastructure qualification, agile validation, and third-party audits.

NIST Cybersecurity Framework 2.0 Guide

• Scope: Governance, risk management, and cloud security best practices.
• Relevance: Guides encryption, threat detection, and shared responsibility models for GxP data. 

REGULATORY AGENCIES

EMA Annex 11 Guidelines (EU GMP) - 

• Scope: Risk-based validation of computerized systems, including cloud infrastructure.
• Relevance: Mandates infrastructure qualification, change control, and audit trails for EU pharmaceutical operations.

FDA 21 CFR Part 11 Guidance Document

• Scope: Governs electronic records and signatures in FDA-regulated activities.
• Relevance: Requires validation of cloud systems for data integrity, audit trails, and access controls for submissions like clinical trials or manufacturing records.

FDA 21 CFR Part 820, Quality System Regulation (QSR)

• Scope: Establishes current good manufacturing practice (CGMP) requirements for medical device manufacturers.
• Relevance: Requires validated systems to ensure quality management, including design controls, corrective actions, and production processes 

FDA 21 CFR Part 58, Good Laboratory Practice (GLP) for Nonclinical Laboratory Studies 

• Scope: Governs nonclinical laboratory studies intended to support research or marketing applications for products regulated by the FDA.
• Relevance: Mandates computer system validation, record retention, and quality assurance to ensure data integrity and reproducibility in toxicology studies. 

FDA Guidance for Industry: General Principles of Software Validation

• Scope: Provides FDA expectations for software validation across medical devices, manufacturing, and quality systems.
• Relevance: Defines lifecycle activities and documentation needed to validate software used in regulated environments, including cloud-hosted solutions. 

MHRA GxP Data Integrity Guide

• Scope: Data integrity principles for cloud-hosted GxP systems.
• Relevance: Aligns with FDA/EMA expectations for audit trails and metadata.

WHO TRS 996 Annex 5 Guidelines (WHO GMP)

• Scope: Global standards for GxP systems in drug manufacturing and quality assurance.
• Relevance: Provides validation frameworks for cloud-based systems in low-resource settings.

ADDITIONAL RESOURCES

KPMG GxP Cloud Implementation

• Scope: Risk management, supplier audits, and continuous monitoring strategies.
• Relevance: Outlines validation steps for cloud migration in life sciences.

PIC/S Guidance on Data Integrity

• Scope: Global standards for data governance in cloud environments.
• Relevance: Supports ALCOA+ principles for GxP records