Cannabis & GMP/GACP: Part 1 – The Compliance Ecosystem

Welcome to our summer series on cannabis and GMP/GACP. A new article will be published once a week throughout the summer. You can access related articles that have been published so far by clicking the Compliance category on the main News & Events index page: Compliance category

Cannabis as a High Consequence Industry

High consequence is a term that has been used to describe those industries where compliance is essential. High consequence equals highly regulated, and for good reason. As the name suggests, errors in the activities of these organizations have severe consequences. Typically, these are industries where human life or quality of life is at stake, but not always. High consequence might relate to financial or intellectual property security. Examples of high consequence industries include food production, biotech, healthcare, aviation, nuclear power, and law enforcement. Due to the legal and health implications, the production and sale of cannabis is a high-consequence industry.

But even for organizations in low or medium consequence industries, regulations still apply. No one in today’s world operates without rules. In fact, the current business environment is an increasingly complex maze of regulations.

Legislation and standards are in place or being proposed for almost all aspects of business and industry. Throughout the world, regulations govern the manufacturing and handling of a variety of products for health and safety reasons. Other policies are designed to provide privacy and security or prevent fraud. These regulations are administered by government agencies, international organizations and industry associations, and compliance is sometimes voluntary but often mandatory.

Record Management

Many of these laws and guidelines focus on the maintenance, security and auditing of records.

The International Organization for Standardization (ISO) defines Records Management as “the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.” Electronic records management is the digital method for doing this.

Electronic records are critical to doing business today, especially in high-consequence industries where auditing and reporting are required to meet compliance.

Of course, the electronic records themselves are only part of what is necessary for compliance with legislation or standards. The internal policies and procedures that surround those electronic records form an important piece of the compliance puzzle.

Since a computer record is only as secure as the system that holds it, the organization must therefore make certain that the hardware and software comprising that system is secure as well. And since the hardware and software are only as secure as the facility they are located in, this also means securing the physical location of any servers or back-up copies of data and so on. No electronic record or system can meet such requirements—only an internal security policy and its associated procedures can.

While compliance with regulations is dependent on internal policies and procedures, computer systems and software are often the means of carrying out those policies and procedures. An electronic records management system must therefore offer certain functionality to authenticate and validate the integrity of its records.

The policies of most regulatory bodies include language directed at ensuring the security of electronic records and the systems that support them. These systems must let organizations create, implement and verify security and auditing related to regulatory compliance.

Regulated organizations are ultimately responsible for the computer systems in their facilities and for ensuring that those systems meet any regulations set out for them. However, since these organizations seldom design the systems they use, it falls to hardware and software vendors to interpret the standards and ensure that appropriate features and functions are available to meet them. This is where we come in.