In many ways, GxP is where HIPAA was mid-2000s before HITRUST came along. Back then, HIPAA compliance was mostly whatever someone wanted to claim it was. “HIPAA Compliance” meant one lawyer’s word against another. It’s why business deals took six months just to get past the “But are you HIPAA compliant?” stage. Hundreds of consultants, auditors, and lawyers defined what they believed HIPAA compliance to be, and proceeded to use that as their definition for their jobs. You can imagine why HIPAA has been a mess for a long time. This is why HITRUST is such a boon: The industry is finally agreeing to a certified definition, which accelerates the 20-year-old mating dance.
GxP is still in that situation. There is no certifying body to GxP compliance, so it’s whatever someone wants to claim it to be.
eCFR — (Electronic) Code of Federal Regulations
The basis of cloud-based GxP audits stems from CFR Title 21 Chapter 11. CFR Title 21 is intended for the FDA, and Chapter 11 scopes to electronic records. When a cloud services provider—like Datica—claims to be GxP compliant, the company is claiming that they were audited against an interpretation of CFR Title 21 Chapter 11.
The bulk of the controls in a GxP audit are administrative and not technical. Whereas HIPAA, and HITRUST in particular, get very deep in the weeds of encryption, intrusion detection, and so on, GxP focuses mostly at processes and procedures to ensure quality.