Tuesday 21 March 2017

Preparing for an MHRA Inspection Part 3: Understanding your Data

In my previous blogs I talked about some of the ways to ensure that your computer systems are prepared for an MHRA inspection.

Following on from that, in today's blog I wanted to further explore the importance of understanding what data you hold and where that confidential data is stored.

This may sound like an odd topic, as I'm sure many of you are thinking you know exactly where all your businesses data is held. But do you really?

A pharmaceutical business' data is precious. Not only does it contain personal data like names and contact details of clients and employees, which are governed by the Data Protection Act and forthcoming GDPR legislation, it also likely contains medically confidential details of patient health information. Then there may be clinical trial data, not to mention a wealth of commercially confidential details of contracts, agreements, research, IP and email correspondence.

And the scary reality nowadays is that your business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data or emails? Or data that has been copied to removable media such as USB sticks? Or data that has been shared with business partners and other third-party organisations? Or copies of data taken for backup purposes?

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs.

So do you really know where all your data is held? And does it matter?

Well the more widespread and less controlled your data is, the more vulnerable you leave your business to a breach of data security or data integrity. This is problem both from an MHRA inspection standpoint and also, with GDPR on the way, there is the potential for crippling fines of up to €20 million and immeasurable reputational damage.

So understanding what data you hold, where it is stored and who has access to it forms one of the first key steps to compliance.

If your data is very disparate, you may wish to bring it together in one secure, central repository in order to make it easier to control and manage. Luckily nowadays there are technologies that facilitate this; for example we have built several of our clients their own private cloud solution where all their data is brought together in one secure, central, UK-based repository, where they and their authorised business partners can access it securely wherever they are, without the source data ever leaving the security of the UK-based data centre.

For other clients, where data is generally central, but perhaps also resides on some mobile devices too, we work to implement business processes and technologies to prevent data leakage and manage mobile devices.

Either way, it is paramount to put the business back in control of its data, knowing both where it is and who has access to it. This in turn needs to be documented, both so that the management team have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts businesses back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information please do not hesitate to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk

No comments:

Post a Comment