Search results

Administrative fines for lack of compliance with GDPR

Yes, the company will be sanctioned for non-compliance. 

Article 83 and 84 GDPR refer to administrative fines up to 10 000 000 Euro or 20 000 000 or to the 2% or 4% of the annual turnover of the preceding financial year, whichever is higher. Therefore, depending on the infringement, administrative fines will be calculated. In the case of negative turnover, the consequences on the company may vary from State to State depending on the internal procedural law. A sanction issued by the Supervisory Authority is considered as debt that may lead to bankruptcy.

Here you can find more information:

• The obligations of controllers towards Data Protection Authorities according to GDPR https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/
• Which fines does GDPR designate for companies? https://advisera.com/eugdpracademy/knowledgebase/which-fines-does-gdpr-designate-for-companies/
• Understanding the Lead Supervisory Authority concept in GDPR https://advisera.com/eugdpracademy/knowledgebase/understanding-the-lead-supervisory-authority-concept-in-gdpr/

You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Information Classification

1 - Is there anything that would stop us from simply having two classifications Public and Confidential?

ISO 27001 does not prescribe classifications to be applied to information, so it is acceptable by the standard that your organization may adopt only Public and Confidential levels.

2 - Assuming we adopted a mandatory classification protocol at an individual document level on say December 1. What would be the recommendation as to classification of all pre-existing documents

I'm assuming that by classification you mean define it as different from public.
 
Considering that, the classification of pre-existing documents will depend on your needs, the results of risk assessment, and applicable legal requirements.
 
For example, for HR processes you may need to classify all documents related to employees, regardless of how old they are (in most countries this related to laws or regulations). On the other hand, for the Marketing campaign for a new product, you only need to classify it until the new product is released.
 
It is important to note that the classification of information at the document level is impractical for a large number of documents.

3 - ...If the response is that every old document must  be classified this would be impossible for us. So therefore my next questions are around whether we can classify not at document level, but at a higher level.:

ISO 27001 does not prescribe levels to consider to classify information, so you can use the classification that better suits your needs. For example, you can classify documents according to type, the processes or business units they are related to, or where they are stored (e.g., contract type documents, documents related to the software development process, documents related to the HR department, or documents stored in the CFO office).  

4 - Would it be legitimate to have a classification policy at a document type level?

Considering previous answers, a classification policy at the document type level is acceptable for ISO 27001 certification purposes.

5 - Or is it legitimate to classify based upon where the electronic document is stored (eg everything  in this Microsoft Teams channel is Confidential?

Considering previous answers, classifying documents according to where they are located is acceptable for ISO 27001 certification purposes.  

6- Overall any general thoughts / advice you may have for creation of a workable classification policy for such a small company?

These articles will provide you a further explanation about information classification:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
• Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/

Classification of company assets

Along with greeting you, I would like to please if you could help me with a question I have. I am classifying the assets of the company and in the case of computers and laptops, for example, do I have to enter into the classification all those that exist in the organization or only one?

I remain attentive to your response, greetings and thanks

By your question, I'm assuming you are talking about filling in the asset register.
 
Considering that, you need to include in the asset register all assets that are related to the ISMS scope (in case the scope covers all organizations, then you need to consider all computers and laptops). But you do not need to include every single asset. You can create a single asset named "laptop" or, in case you need to use different classification levels, you can identify assets like "common laptop" and "development laptop", and define a different classification for each one.
 
This article will provide you a further explanation about the asset register:  

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

ISO 14001 certification cost and duration

I believe you’re enquiring about the cost of getting a company ISO 14001 certified.
The cost and time of getting ISO 14001 certification depend on two important variables: the dimension of the organization and its environmental status.
For example, concerning time. When there are no problems with compliance obligations according to Advisera’s experience, organizations using our Documentation Toolkit, from start to certification, need:

• Companies of up to 10 employees - up to 3 months
• Up to 50 employees - 3 to 6 months
• Up to 200 employees - 6 to 10 months
• More than 200 employees - 10 to 20 months

Without our Documentation Toolkit, they need more time.
As someone implementing management systems as a consultant for almost 30 years, I have plenty of experience where organizations promise resources and commitment before starting the project and then they fail.

For example, concerning costs you have to consider two factors:
· What is the present situation concerning compliance obligations? For example, I have worked with some organizations that had to spend a lot of money to correct their air emissions.
· Certification costs will depend on certification body to certification body but the main factor is the number of workers in the organization.

Please check this information below with more detailed answer:

• Free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
• List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

SOP for Control of Nonconforming Product/Proces

According to the ISO 13485:2016, there is a requirement for the SOP for the Control of nonconforming product (requirement 8.3.1 General).

Return merchandise authorization is covered in the requirement 8.3.3 Actions in the response to non-conforming product detected after delivery. Usually, this requirement is covered in the same SOP for the Control of non-conforming products. Organizations must take actions appropriate to the effect that non-conforming products can be issued.

For more details, please see the following article:

• ISO 13485:2016 nonconforming product – How to approach the post-delivery actions https://advisera.com/13485academy/blog/2017/04/11/iso-134852016-nonconforming-product-how-to-approach-the-post-delivery-actions/
• Understanding dispositions for ISO 9001 nonconforming product https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/

On the following link you can see how our procedure and template for the non-conforming product look like in ISO 13485:2016 Documentation toolkit:

• Procedure for Control of Non-Conforming Products https://advisera.com/13485academy/documentation/procedure-for-control-of-non-conforming-products-iso-13485-2016/
• Non-Conforming Product Record https://advisera.com/13485academy/documentation/non-conforming-product-record-iso-13485-2016/

• Excluding clauses of ISO 9001 for a law firm

  Excluding clauses is not a technical decision, it is a management decision based on the scope of the quality management system. For example, are Law firms not innovative and do not develop new services? Is clause 8.3 automatically not applicable?

  Only after looking into the scope of the quality management system, one can say if a clause is applicable or not.

  The following material will provide you more information about exclusions:

  What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
  Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
  Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Environmental risk assessment in a garments factory

  You can start looking at your environmental aspects and impacts and determine what can go wrong and provide undesirable consequences like emergency situations or breakdowns.

  Then look for interested parties and determine possible changes for the future and their potential impact in your organization. For example, customer requirements may demand more chemicals, environmental legislation may be more demanding.

  PESTLE analysis may be useful to frame thinking about risks related with policy, technology, economy and social movements. Although about ISO 9001, perhaps the technique that I use and present in this free webinar on demand - Context of the organization, interested parties, and scope - - may be useful for you to work with context and interested parties to determine risks.

  Please check this information below with more detailed answers:

  • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/