Search results

GDPR data in Microsoft office

Microsoft is a big player in developing tools to help companies and individuals and it is aware of GDPR requirements. Here you can see the Microsoft GDPR assessment and have a look if it suits your needs: https://www.microsoft.com/en-us/trust-center/privacy/gdpr-overview

Remember that GDPR leaves up to the controller the choice about the level of security compared to the risk, the state of art, and the costs (article 32 GDPR). Microsoft services are acceptable if inserted in policies and procedures that help you to guarantee the level of security. I.e. Microsoft Onedrive can have the best server and antivirus but if your password policy is weak it will be vulnerable to data breach and unauthorized access.

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Is the calibration certificate number sufficient to control the calibration certificate issued to customers?  

The number helps you identify and trace the document, but is not the only control required. Each laboratory must determine the necessary controls for all documents and records to meet ISO 17025, customer and regulatory requirements. Calibration certificates require controls to ensure unique identification, indication of amendments, protection, back-up, archive, storage, retrieval, retention time, and disposal. An example of a control measure is protection against editing. Another example is to ensure the correct information is included to minimize any misuse or misunderstanding (see clause 7.8.2).

The Advisera ISO 17025 document template: Calibration Report and Certificate Requirements Procedure at https://advisera.com/17025academy/documentation/calibration-report-and-certificate-requirements-procedure/may be of interest.

Setting up a Quality control Lab

ISO 17025:2017 does not provide specific guidelines for laboratory layout. The requirements for facilities and environmental conditions are covered in clause 6.3. As the facilities and environmental conditions can have a major impact on consistent operation and result validity, the standard requires laboratories to:

• Ensure suitable separation of incompatible activities (eg vibrations near a weighing room is not suitable).
• Document requirements depending on the work to be performed.
• Control, record, and monitor any applicable environmental conditions as specified in methods, procedures, and specifications.

I recommend you document all the equipment you need, then look at their placement and a logical workflow. If you are not familiar with laboratory workflow and needs, it will be beneficial to contact a supplier that outfits laboratories.

For more information, see the ISO 17025 toolkit document template: Facilities and Environmental Condition Procedure at https://advisera.com/17025academy/documentation/facilities-and-environmental-condition-procedure/

and the  whitepaper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

How training should someone have before they are deemed competent for a specific task?

Deeming someone competent needs to be against objective criteria. There is no fixed time period. For some tasks it may take just a few hours, others months. You need to state what does the laboratory needs them to be able to do. For a particular task start by naming the task and documenting the training and competency requirements.

For example 
1. Task: Weekly maintenance of instrument x. 
2. Training requirements: Witness task being demonstrated and was supervised for three operations. 
3. Competence criteria: The instrument operator must be able follow the maintenance work instruction x, completing maintenance steps one to three and thereafter perform the instrument qualification test, step four.  
4. Criteria for evaluation:  4.1 The laboratory manager (or other authorised person) must approve training record by reviewing and signing. 4.2 Witness the operator perform the task, meeting the stated competency criteria.

Now for a specific Operator, record evidence of supervision and training. When completed, the laboratory manager should declare and record the observation during witnessing against the criteria. For example “the operator was witnessed to follow the work instruction. The instrument qualification test performed (ref 2020/02/09, attached to training records) passed as per established limits. Operator “M” is therefore declared competent to perform task x. Competence will be monitored by his supervisor through witnessing and record review".

As personnel training and competency is a critical activity, the Advisera ISO 17025 toolkit includes the mandatory procedure as ISO 17025 document template: Competence, Training and Awareness Procedure along with 4 appendices: Training Program, Training Record and Performance Monitoring, Record of Attendance and Competence Approval and Authorization Record. You can preview the template at https://advisera.com/17025academy/documentation/competence-training-and-awareness-procedure/

Documentation and implementation for ISO 9001

If you want to know about ISO 9001:2015 in detail perhaps the best source of knowledge is to attend this free online course - ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

If you want to know which documents and records are mandatory, according to ISO 9001:2015, perhaps this article is a god starting point - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ - you can see that ISO 9001:2015 has no mandatory procedures. Concerning mandatory documents, the list is very small (the scope, the quality policy and the quality objectives). All the rest is up to each organization. Please consider that the list of mandatory records is larger.

About implementing ISO 9001:2015 perhaps this free webinar on demand, articles and book can help you:

• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Key requirements in ISO 9001

Please check this article - ISO 9001 Requirements and Structure - https://advisera.com/9001academy/knowledgebase/iso-9001-requirements-and-structure/ - to find the main requirements of ISO 9001:2015

You can find more information below:

• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Asking for subscription consent with first newsletter

Yes, it is the most compliant option you have to ask for consent to contacts you already have in your mailing list. The GDPR requires that user consent to receive newsletter and marketing email, so theoretically, you should have asked for consent when GDPR came into effect. However, in order to reach compliance, you can ask consent as soon as possible. Do not forget to inform users in a transparent manner about how you will use their email address and how they can cancel from the mailing list in case they do not want to receive your newsletter (it may seem risky but you will definitely have a clearer idea about your real audience).

You can find more information about GDPR and email marketing here:

• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

You can also consider enrolling in this EU GDPR Foundations Course:

• EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

• GCP security controls which comply with ISO 27017

  I'm assuming that by GCP you mean Google Cloud Platform.

  Considering that, please note that we are not aware of which security controls GCP has implemented, so we cannot say which ones are related to applications. Although GCP is ISO 27017 certified (https://services.google.com/fh/files/misc/gcp_iso27017_spring_2020.pdf) its Statement of Applicability is not available.

  Generally speaking applicable controls regarding applications would be from section A.14 (System acquisition, development, and maintenance)  from ISO 27001 Annex A (please remember that ISO 27017 is a supporting standard for controls from ISO 27001).

  Specific controls from ISO 27017 that may apply would be:

  • 9.5.1 Segregation in virtual computing environments
  • 12.1.5 Administrator’s operational security
  • 12.4.5 Monitoring of cloud services

  For further information, see:

  • ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

• Control number A.8.1.3

  This control intends to say that rules for the use of information assets and resources (e.g., Internet, e-mail, internal systems, etc.), must be defined, implemented, and communicated to all personnel included in the ISMS scope, so they can know what is and what is not allowed to do.

  To see how a document compliant with this control looks like, see the document demo in this link: https://advisera.com/27001academy/documentation/it-security-policy/

  For further information, see:

  • How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/