Search results

GDPR Best legal basis for data sharing

The legal basis of data processing is determined by the controller before data collection. The controller can process data on one or more legal bases, but selecting one is essential for the lawfulness of processing under Article 6 GDPR. Before starting to collect personal data, the controller needs to understand why he/she needs those data and the purpose must be declared in the privacy notice. The data subject, in fact, must be informed and aware of the reason for processing. Legal basis are:

1. Consent of the data subject.

2. Performance of a contract (even pre-contractual steps).

3. Compliance with a legal obligation to which the controller is subject.

4. Protect the vital interests of the data subject.

5. Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. Processing is necessary for the purposes of the legitimate interests pursued by the controller.

For example, if you provide a service on the web you can state in the privacy notice that personal data of the customer are collected to provide the service and to comply with a legal obligation (i.e., tax declarations), you can ask also consent to the data subject for receiving newsletter or promotions. If your customer withdraws the consent asking to delete all his/her personal information stored, you can reply that you will remove his/her personal information for processing based on consent (newsletter, marketing), while data processed for the provision of service will be kept to comply with tax rules on bookkeeping. This is why the controller needs to determine the legal basis of each data processing before collecting data.

Here you can find more information on the legal basis and data subjects rights:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

If you need to understand how to determine the legal basis of processing under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 

ISO 9001 certification renewal in 3 months

I feel that some information is missing in your question.

1. Is your organization currently certified according to ISO 9001:2015?
2. Your organization in the past was certified, but decided to let go of certification according to ISO 9001:2015?
3. Your organization in the past was certified, but decided to let go of certification according to ISO 9001:2008? 

Whatever the situation a possible approach can be:

• Setup a project sponsor, a project manager, and a project team. Ensure top management support, get training about the standard. Designing and implementing a quality management system implies being knowledgeable about ISO 9001:2015.
• As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis, you can develop your Project Plan, listing what needs to be done, by whom, until when.

From there it is implemented in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

To speed up the process you can use our Documentation Toolkit for the implementation of ISO 9001:2015 here - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ and check the free previews. You can also watch this free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/

Time to implement from scratch and be certified, with our Toolkit Documentation, can take:

• Companies of up to 10 employees - up to 3 months
• Up to 50 employees – up to 3 to 6 months
• Up to 200 employees – up to 6 to 10 months
• More than 200 employees – up to 10 to 20 months 

This is a very short description of the journey but below you can find more detailed information:

You can find more information below:

• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on-demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Improving the work of a library with ISO 9001

So, your organization, as a library, is a service provider. Please check the key benefits of ISO 9001 implementation in this article - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/

Implementing ISO 9001 means:

• determining and planning key processes – allows standardization of practices and monitorization of performance
• determining relevant interested parties – allows promoting an outward-looking point of view seeing the organization as a services provider 

You can find more information below:

• What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/
• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Correction Plan vs Corrective Action Plan

In the event of a non-conformity, there are 3 possible actions to develop

1. Stop the non-conformity from continuing to occur! Stop the damage! Warn people! Do a recall! (examples of what can be done. You are not acting on the non-conformity, you are acting on the process or on the consequences)
2. Then comes correction. Correction is about eliminating the non-conformity (examples of what can be done are: segregate and repair; segregate and dispose of; segregate and downgrade; segregate and ask permission to send the product or accept the service as such – what is also called as a concession). Confirming that the correction was done
3. Then, if the nonconformity is serious or is systematic, comes the corrective action. Collect more information about the symptoms of the problem, investigate the cause, design a solution, implement the solution and do the follow-up to check the effectiveness 

Action 1 is not always possible or necessary to develop.

Action 2 is always done.

Action 3 is done when the non-conformity is serious or systematic.

You can find more information below:

• Free webinar on-demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Implementing ISO 9001 alongside ISO 13485

No, you do not need ISO 9001:2015 certification. There is a difference between ISO 9001:2015 and ISO 13485:2016, and by implementing the ISO 9001 not all requirements for the manufacturing of medical devices will be fulfilled. It is not a question of preference, but what the legal regulations are and what requirements must be met in order for a medical device to comply with its regulations. ISO 13485:2016 is a standard that is specific for Manufacturers of medical devices (Medical devices — Quality management systems — Requirements for regulatory purposes). Besides that, on the web pages of the European Commission are stated which standards are applicable for all types of medical devices:  https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en 

On that list, which has around 300 standards, only ISO 13485:2016 is the standard for the quality management system. 

For more information please read the following articles:

• Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
• What are the ISO 13485 structure and requirements https://advisera.com/13485academy/what-is-iso-13485/
• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/
• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

• Differences between ISO 27001 and SOC 2

  The main differences between ISO 27001 and SOC 2 can be summarized as follows:

  • SOC 2 is a set of audit reports to evidence conformance to the Trusted Service Criteria (TSC), while ISO 27001 is a standard for the management of information security
  • SOC 2 is usually required in the U.S., while ISO 27001 is an international standard
  • SOC 2 is not certifiable (it can be only attested by a licensed Certified Public Accountant (CPA), while ISO 27001 is certifiable by accredited certification bodies  

  This article will provide you a further explanation about ISO 27001 and SOC 2:

  • Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/21/02/02/iso-27001-vs-soc-2/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Conducting implementation/audit using ISO 27001 and ISO 27701 simultaneously

  Please note that ISO 27701 was developed as an extension of ISO 27001 and ISO 27002. Considering that, the material already developed for ISO 27001 implementation/audit would need to undergo some adjustments to incorporate ISO 27701 aspects.

  Our ISO 27001 toolkit is approximately 80% compliant with ISO 27701. The remaining 20% refers to small adjustments to include the protection of privacy in the context of the documents (e.g., where a document states “information security”, it now should state “information security and privacy”, and applicable controls should consider complementary privacy protection measures), and the inclusion of applicable controls specifically developed for ISO 27701 (in a total of 49 controls). To see how the documents in the toolkit look like, please access this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  For further information, read:

  • Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

  These articles will provide you a further explanation about ISO 27001:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Backup and archiving

  You asked

  I would like to know your opinion on which documents should be backed up. Backup rules. 

  It is the decision of the laboratory, based on customer requirements and or regulations, and based on risk; which documents you need to back up. Typically a laboratory will back up all current work, whilst archive backups are also available.

  You also asked

  it is imperative, in addition to backup copying, to archive the same documents and put an EDS on them"

  Again, do what is necessary for data security and integrity. Exactly how you do it is up to your needs.

  For more information see 

  The Whitepaper Clause-by-clause explanation of ISO 17025:2017 will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ 

  and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

• How to use the ISO 13485:2016 Internal Audit Toolkit

  You can always customize any document and use it for just one department. In the audit plan, you will then state that the audit criterion is only one requirement that applies specifically to that department. For example, if you only want to audit the sterilization department, then you will specify requirement 7.5.5 Particular requirements for sterile medical devices and 7.5.7 Particular requirements for validation of the process for sterilization and sterile barrier systems as the audit criteria. If you want to audit only Installation Processes, then your auditing criteria will be requirement 7.5.3 Installation activities. 

  If you look at the audit checklist, you can apply the same principle here, so that you fulfill the audit results only in those requirements in which you performed the audit.

  How these documents look like in our ISO 13485:2016 Documentation toolkit you can see on the following link:

  • Internal audit checklist https://advisera.com/13485academy/documentation/internal-audit-checklist-iso-13485-2016/
  • Internal audit plan https://advisera.com/13485academy/documentation/internal-audit-plan-iso-13485-2016/
  The following articles can be useful:
  • Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
  • How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/

  • Holding Personal Information

    GDPR lets the controller determine the period for data retention. In some cases, like for financial declarations, domestic laws impose a fixed term like 10 years while for health declaration periods can be even longer up to 20 years because of the potential implication in legal actions.

    Our Toolkit contains a data retention policy template that may help controllers to determine the period of data retention for each processing activity.

    • Data Retention Policy https://advisera.com/eugdpracademy/documentation/data-retention-policy/

    If you need to understand how to process personal data under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//