Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
International personal data transfers – Binding Corporate rules (BCR) under GDPR – and Cross boarder documentation
"I have been through the forwarded material around GDPR compliance and I have the following questions:
1. International personal data transfers – Binding Corporate rules (BCR) under GDPR – and Cross border documentationHow do we secure compliance? Is it by fill in and sign the Cross Border document or do we need another agreement?
I assume you are referring to the documentation in the EU GDPR Documentation Toolkit. As you may know, Binding corporate rules (BCR) under Article 47 GDPR apply to group companies for transfers inside the same group, and to be compliant must be approved by the competent Data Protection Authority (DPA) following the procedure in Article 63 GDPR which is quite complex.
BCR must
- be enforceable to all companies of the group and legally binding,
- assure data subjects rights,
- provide information and contacts of the group and each company belonging to the group,
- provide information on data transfers, data subjects involved, third countries of destination,
- assure the application of principle layout in GDPR as data minimization, data retention period, purpose limitation, data quality, data protection by design and by default,
- accept liability for any breach of the BCR by any company of the group as reported by the competent DPA,
- assure compliance of all group’s companies to BCR with audits, employees’ training to follow BCR, and willingness to modify and implement BCR to DPA’s new requirements,
- Cooperate with and report to DPA any data breach.
- 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
- Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
- EU GDPR Article 44 – General principle for transfers: https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
- EU GDPR Article 45 – Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
- EU GDPR Article 46 – Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
- EU GDPR Article 47 – Binding corporate rules: https://advisera.com/gdpr/binding-corporate-rules/
- Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
- EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
-
Requirements for certification
Setup a project sponsor, a project manager and a project team. Ensure top management support, get training and as a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis you can develop your Project Plan, listing what needs to be done, by whom, until when.
Then, an important step is to design a model of how your organization work as a set of interrelated processes. For example:
Decide how to describe and monitor those processes.
From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.
This is a very short description of the journey but below you can find more detailed information:
- Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
Clause 6.1.1
One general advise: avoid generic lists of risks. Each organization is a particular case.
According to ISO 9001:2015 organizations can determine three types of risks:
- Risks related with context and interested parties;
- Risks related with products and services; and
- Risks related with processes
The following material will provide you more information about risks:
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- How to identify risk controls in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
- Methodology for ISO 9001 Risk Analysis - https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
-
Auditing own subordinates
After ISO 9001:2015 the requirement for the independence of internal auditors has been removed from the internal auditor definition but not from the audit definition. Now, in addition to meeting your organization's competence criteria, internal auditors only have to ensure objectivity and impartiality. Thus, the manager could audit his own subordinates during an internal audit if, and only if he/she can ensure that it will be carried as a systematic, independent and documented process for obtaining objective evidence. This requirement is lost when the auditor (the manager) is a person who could be affected by the audit. For example, as manager he/she who would need to deal with the corrective actions that were found. So, avoid having managers auditing their own subordinates during an internal audit.
The following material will provide you more information:
- Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
- ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
-
ISO 9001 inquiry
1- Implementation process flow
Answer:
The following links provide information that can help you develop your own implementation process flow. The first article is about using the Gap Analysis as the first step in gathering information to develop an implementation plan:
- Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
2- Basic required procedures"
Answer:
This may come as a surprise to you but ISO 9001:2015 does not requires any procedure. It is up to each organization to decide what procedures, if any, are needed (please check clause 4.4.2). Not being mandatory is not the same as being forbidden. So, I recommend organizations to develop relevant procedures. The more complex an organization is and the bigger the staff rotation, the more are procedures useful. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
-
Management review
Please check the beginning of clause 9.3.1. It states that top management shall review to ensure a set of things about the quality management system. The conclusions and decisions of the management review are about that set of things. If top management does not approve those outputs, it cannot evidence that that set of things is being ensured.
The following material will provide you more information:
- How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
- How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
- Free webinar – How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/
- ISO 9001 document template: Procedure for Management Review - https://advisera.com/9001academy/documentation/procedure-management-review/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
Project sponsor
I can only provide a general answer about project sponsors. Normally, a project sponsor is someone who does not actively participate in the project. The project sponsor must be regularly briefed by the project manager about the project status and intervene if the project is halted. A project sponsor can be very useful for unlocking resources and reconciling conflicting priorities and escalated issues.
The following material will provide you more information about design and development:
- The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
Third Party Compliance
I have a question in regards to the document in section 8, Third Party Compliance. Supplier Data Processing Agreement. We use a third party like Google Analytics, does it fall under this category?
-
Implementing 13485 as a wire harness supplier
According to the ISO 13485:2016 requirement 4.2.3 Medical device file, here are the elements that you need to have:
- a general description of your product and labeling
- specification of the product
- description of how you manufacture the device, package, store, handling, and distribution<
- if there is any kind of measuring or monitoring procedure
- if there are instruction or any requirement for installation to another device
- if there is a possibility to service your part of the device, then you need a procedure for that
For more information, please see the following article:
- How to meet ISO 13485:2016 requirements for medical device files - https://advisera.com/13485academy/blog/2017/06/28/how-to-meet-iso-13485-requirements-for-medical-device-files/
-
Changes to EU GDPR policies regarding e-privacy
Hi, I need to know whether there have been any changes to the EU GDPR policies recently in relation to e-privacy. Can you advise?
BCR are quite complex and not suitable for small-medium companies, with a long and complex adoption procedure. Maybe, your question referred to the Standard Contractual Clauses, which are used for assuring the transfer of data between companies that do not belong to the same group.
These are contained in Folder 7 of the EU GDPR Documentation Toolbox that you bought. If so, you need to attach the Data Transfer Agreement to the original Agreement with the other Party selecting the right template depending if you are transferring to a data processor or to a data controller.
2. When we have “employed” sellers and consultants with their own companies which invoices their “salary” to Digizuite, do we then need specific Data processing agreements with each of them?
Do your sellers and consultants process personal data on your behalf in their job? If they do, you need to sign a specific data processing agreement with each of them independently from the use of Digizuite. Maybe sellers relate with customer's personal data and you need to assure the process data being compliant with GDPR requirements as data processors.
3. I can’t find a Data Processor agreement in your material. Why isn’t it part of the toolkit?"
In the EUGDPR Documentation Toolkit, you can find 2 templates of Data Processor Agreement in Folder 8 - Third Party Compliance.
Here you can find some useful material about data transfer:
You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//