Data Flow Maps - No pain No gain?

Picture of post it note images
 

Depending on your industry sector, the applicable regulations and the type of data and records being considered - data flow maps may be advised and good practice or stipulated as a regulatory requirement.

Over the last few years most inspectorates have advocated the use of Data Maps for understanding where data risks may lie and as a useful tool for ensuring data integrity is assured across the entre data lifecycle from record generation to retirement and/or destruction. MHRA Inspectors are Advocating Data Mapping as a Key First Step on the Data Integrity Pilgrimage | IPQ Newsletter (ipqpubs.com)

Looking at the latest PICS guide PI 041-1 Guidance on Data Integrity (picscheme.org) we see maps mentioned again

Section 9.6.1 ......'The creation and assessment of a data flow map may be useful in understanding the risks and vulnerabilities of computerised systems, particularly interfaced systems.'

When it comes to personal data as part of an EU General Data Protection Regulation (GDPR) compliance project organisations are required to map their data and information flows in order to assess their privacy risks and to form part of their Article 30 documentation. There are some great organisations out there to help with GDPR and mapping of GDPR data.

GDPR Data Mapping: What it is and How to Comply (itgovernance.co.uk)

Challenges

So Why do so many organisations and internal stakeholders get more anxious or even fearful at the mention of data maps?

What makes mapping a challenge and increases these anxiety levels? data and records in different formats, data locations, potentially disharmonised management across the data lifecycle, ownership? 

 

Is it Simplicity of the Task vs potential Complexity of the Ask

  • additional workload on already stretched resources

  • complexity of data flows

  • incomplete understanding of mapping tools

  • potential Data Integrity gaps that may be uncovered

  • management and map ownership not understood or agreed

Carpe Diem - 'be Empowered with your Insider Knowledge' - You know your business process's best, the parts that deliver time and time again and the parts that may need some minor tweaks to maximise potential in the future

You generate key data and records as outputs of these business processes which need to be managed from creation to retirement/final disposal and must have the necessary oversight controls in place to ensure at minimum that GxP records and data can be compliant with ALCOA + attributes .

ALCOA+ - means that every GxP record should be Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring and Available throughout the data lifecycle. There is always the worry of 'what if I discover gaps in my data management process'? - this should be seen as an opportunity not a threat - you are getting full return on investment with your mapping effort - you are learning where those data risks may lie, you can remediate the gap (if real) and your data will have greater integrity - your map does exactly what it says on the tin.

 

Note: Maps will also allow you to discuss/examine Data Criticality as there is a lot of generated data but not every data/record point will be critical and a risk based approach can be applied to data management (no further discussion on this topic here but definitely a consideration)

Considerations and Tips

To help reduce mapping anxiety levels here are some Q/As, suggestions and tips before you start

Question: What does a data map need to look like?

Ans : there is no standard look, the map needs to work for you, you may even have different map types across different groups or areas within your company (having a company standard though will make longer term map management easier )

Question: What standard tools should I use?

Ans: there is no standard, ask IT, check with other business stakeholders, ask the project managers they may already have great tools available that you can leverage.

Mapping out processes and associated data on wall boards or electronic white boards is always a good starting or collaboration point before more detailed mapping occurs. If you have electronic whiteboards such as MS Whiteboard or MIRO - these work really well as a starting point and everyone gets to collaborate real time. 

Question: Do I need to be a map tool expert? 

Ans: Well definitely this is one of the biggest hurdles and we are often asked 'do I need to be a Visio expert, Miro expert, PowerPoint expert' ? No!!! use what tool works best for you, in the short term for simple maps Powerpoint works well. But long term for more complex maps we suggest you look at for example MS Visio, Draw.io and these tools also have lots of useful shapes and icons available.

 

Some of the electronic solutions also have nice features like parking lots that you can come back to and start to build new maps or revise existing maps when additional data or record information becomes available.

Question: Who needs to be involved?

Ans: - now this one we do suggest you standardise within your company! We suggest QA, IT and a BPO or SME at minimum.

Across your business process you will have numerous levels of data creation and interaction including oversight and management activities applied to both your paper and electronic data/records and systems. If possible include

  • data generator

  • data reviewer

  • data approver

  • system administration professional

Even if they can't all be available on the same session they all need to be involved to confirm that the map reflects exactly the data flow and management activities.

The activities associated with these individual groups will determine how accurate and complete your data management process is across the full data lifecycle and show up duplicated data, data that's not managed fully, instances where signatures are not applied to data, instances where transfer errors could occur, instances where system vulnerabilities may exist, instances where paper record management controls may be lacking.

As if you were completing a GxP activity do not rely on process memory - use the SOPs and Work Instructions associated with your process. Compare what's in the procedures to what you actually do with data and records and determine if any gaps or inconsistencies exist 

What should we do if we are complete mapping novices

With the right people (Question: Who needs to be involved? see above) and relevant procedures available you may want to do a practice mapping session to test out how prepared you are to begin a more formal session: You can always start with paper and sticky notes and map out the business process first on a large wall or surface or virtual board and then start to add in where data and records are generated as part of the process. Do not try to map the data across for example the entire QC remit of testing in one go. Start off simple Data flow map for a Karl Fischer or standalone instrument use and work your way towards more complex data flows such as CDS or LIMS or MES.

You will definitely find that there are lots of overlapping sub processes so you can assign an owner to these sub processes or simplify and work on main processes or single processes first and associated data/records.

Always mark clearly on the map where potential data integrity risks have been spotted - these could be where duplicate records are generated and deciding what record constitutes the authoritative source is a 'must do' to remove future data integrity issues.

Another common issue spotted during mapping sessions is transcription of data to electronic systems from paper records with no oversight controls applied. This is definitely a data risk.

Getting all the mapping team involved Map out the chosen business process steps and start recording on the business map as a team where data or records are generated. For the data map 'purist' this is somewhat different to a data only map as we do have a 'hybrid' here of the business process and data on the same map. Lots of fine tuning can happen later but start basic and grow the maps from there

So maps should highlight any potential data risks but also data opportunities - remember to ask during your mapping session for every record generated does the data comply with ALCOA+

Using an external vendor such as ERA Sciences is also a good solution as we have considerable expertise generating data maps and can work with you and support you either by generating full maps or by generating generic templates which you can leverage for all your other data processes. We have just finished another beginners Data Map training session so I'm sharing a slide of key questions with you below. 

In you are interested in getting more information on this or any other DI topic please contact us at CONTACT US | ERA Sciences

Dr Eva Kelly

Dr Eva Kelly

Eva holds a degree in Analytical Science and a PhD in Chemistry from Dublin City University, bringing over 25 years of experience in site solutions and learning management across various sectors, including pharmaceuticals, medical devices, and FMCG. She has specialized as a Data Integrity SME, with expertise in 21 CFR Part 11 and Annex 11 compliance, and has led Data Integrity and QA IT roles within pharma and biotech companies, focusing on GxP SAAS, hosted, and on-premise solutions. Eva is passionate about fostering a culture of Data Integrity (DI) excellence, working directly with clients to implement DI governance strategies that prioritize people, processes, and technology. Over the past decade, she has honed her skills in stakeholder presentations, quality risk management, and the implementation of systems such as SABA Cloud, EtQ Reliance, VEEVA Vault, and Axway Track and Trace, among others. With a deep understanding of DI's evolving role, Eva is dedicated to helping clients achieve thorough GxP record compliance and successful DI initiatives.

Comments

Related posts