Search results

Sustainable implementation

ISO 14001 has no additional legal requirements. Companies with an environmental management system in accordance with ISO 14001 are not required to perform better than legally required. In addition, an environmental management system can be used to reduce costs by reducing waste. Finally, an environmental management system can be designed to minimize bureaucracy. So, I cannot subscribe to the idea that implementing an environmental management system is an expensive project.

Please check this information below with more detailed answers:

• 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
  ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/
• How to get management buy in for an ISO 14001 project - https://advisera.com/14001academy/blog/2015/06/08/how-to-get-management-buy-in-for-an-iso-14001-project/
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

CAR/NCR vs Material reject form

I cannot give you a straight answer, that will depend on your organization’s internal procedures. When a material has a defect, it is a product nonconformity. ISO 9001:2015 does not mandates a corrective action for each product nonconformity. ISO 9001:2015 requires deciding what to do with that product nonconformity. So, if you want to do that you have to update your procedure accordingly.

The following material will provide you more information:

• ISO 9001 – Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
• Five steps for ISO 9001 non-conforming products - https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/
• ISO 9001 - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/ ion/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Question related to Controller and Processor with respect to GDPR

Article 4 paragraph 7 GDPR defines ‘controller’ as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

It means that who collects data is the controller. If you are developing an App that will collect personal data, you (or your company) will be the data controller. You need to declare who the data controller is and inform your data subjects clearly in the privacy notice. Most likely it will be the company and not the person.

The controller will need to comply with GDPR requirements for data processing.

•  Find the legal basis of data processing
• Inform in a transparent manner the data subject about purposes and means of processing, the data retention period.
• Develop your app according to the principle of privacy by design and by default
• Follow the principles for data transfers if any.
• Adopt security measures complying with GDPR requirements
• Process data according to GDPR legal requirements.

Article 4 paragraph 8 GDPR defines the processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

Therefore, the data processor is someone who acts on behalf of the controller. Let’s make an example with your app. You are the developer of the app and you collect users’ personal data. Maybe you are going to share these data with third parties like Google Analytics, which provide you some services to implement the functionalities of your app. Third parties will act as the data processors.

It can also be a web agency that sends on your behalf customized emails to your customers. They will process email addresses (which are personal data) on your behalf.

The data processor needs to be appointed by the data controller who will instruct on how to process data, what principles follow, what data retention period, and so on. The data controller has also the power to control and verify if the processor complies with the data processing principles set. 

The responsibilities for not complying with GDPR requirements are liabilities towards data subjects for any damage caused by the data processing and also fines from the Data Protection Authorities. The fines are severe. Infringements are divided into two classes: infringements of data controller and data processor duties have fines up to 10 000 000 EUR or 2% annual turnover (whichever is higher), while the infringements of basic GDPR principles (like lawfulness of processing) has fines of 20 000 000 EUR or 4% annual turnover (whichever is higher). 

Here you can find more information about data transfers, controller and processor:

• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/
• Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• The obligations of controllers towards Data Protection Authorities according to GDPR: https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/

You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Replacing CAR/NCR with material reject form

Can I replace a CAR/NCR with a material reject form? The form calls out the issue and then allows quality and production to come together in a meet to resolve the issue at hand and further prevent it

Setting up a consulting firm

Implementing a lean quality management system for a consulting firm implies being very pragmatic and knowledgeable about ISO 9001:2015. Now the standard is less and less bureaucratic, it is up to each organization the task to develop and implement a lean quality management system.

Setup a project sponsor, a project manager and a project team. Ensure top management support, get training and as a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis you can develop your Project Plan, listing what needs to be done, by whom, until when.

Then, an important step is to design a model of how your organization work as a set of interrelated processes. For example:

Decide how to describe and monitor those processes.

From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

This is a very short description of the journey but below you can find more detailed information:

• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Surveillance Audit

Yes, it is. According to the contract signed between your company and the certification body, after the certification audit your organization will have yearly surveillance audits.

The following material will provide you more information:

• What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
• Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Internal and external issues in a recycling company

Internal and external issues are relevant topics that can influence the future of an organization. For example, governments can issue legislation that will affect the activity of a recycling company. Socials trends can influence how consumers and households react to recycling practices. About internal issues you can have, for example, experienced workforce, inflexible machinery or lack of capacity.

You can find more examples in this free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/ (it is about ISO 9001 but I think it may be useful)

The following material will provide you more information:

• Determining the context of the organization in ISO 14001 - https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
• How to determine interested parties according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
• Understanding the needs & expectations of interested parties in ISO 14001 - https://advisera.com/14001academy/blog/2017/04/03/understanding-the-needs-expectations-of-interested-parties-in-iso-14001/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Safety culture

Providing a safety culture is critical to implementing ISO 45001, and the crucial step is in the example of top management. There is a saying that “management leads whether they mean to or not”, and this is equally important to a safety culture. If there is a rule that safety glasses need to be worn, but the president of the company never wears them in the area, then this tells people that the safety rules are not important; if top management tries to say safety is important in words, but not in actions, they the culture of safety will not happen. A culture of safety will only occur when the rules are known, understood, and equally applied to everyone; then you can work on maintaining and improving safety.

You can find out more about convincing top management about the OHSMS that are still applicable to ISO 45001 in the article: 4 crucial techniques for convincing your top management to implement OHSAS 18001, https://advisera.com/45001academy/blog/2017/08/30/4-crucial-techniques-for-convincing-your-top-management-to-implement-ohsas-18001/

Guidelines for getting a record retention policy

Considering ISO 13485:2016, in requirement 4.2.5 Control of records is stated that organization will keep records for at least the lifetime of the medical device, or as specified by applicable regulatory requirements, but not less than two years. It means that if a lifetime of your medical device is six months or one year, you need to keep records for at least two years. 

For more information, please read the following article:

• Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

You can also check out our book for more information:

• Managing Iso Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Filling templates

  Data Transfer Agreement template (Referenced in Cross Border Transfer Procedure):
  DTA for Controller -> Controller
  DTA for Controller -> Processor
  When to use which one?