Search results

Final Presentation of Project Results

Please note that the project objective is "To implement the Information Security Management System in accordance with the ISO 27001 standard by [date] at the latest."

Considering that, the presentation is directed to the person which is responsible for the ISMS scope (e.g., the CEO if the ISMS scope covers all the organization, or the department head if the ISMS is restricted to a department).

As for when the presentation should be held, you should consider a time after the management review, so the persons held responsible for implementing the decisions taken in the management review have time to provide some details about how the decisions will be implemented.

Marketing activities to companies

"Wow. Thank you so much. You are really helping me. So to clarify for my own understanding, I'll take it point by point. 

1) I can send email to a company who is already a customer and who has agreed to receive marketing messages from me? Please proved the GDPR clause for this point

Yes, Article 6 par. 1 lett. a GDPR states that: 

“Processing shall be lawful only if and to the extent that at least one of the following applies: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

So if your customer has given you consent to process his personal data (email) for one or more specific purposes (providing your services and promoting/marketing) your processing (sending promotional email) will be lawful.

You can find more information about consent in the new Guidelines adopted by the European Data Protection Board (EDPB) on May 4th 2020: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf

2) The person receiving marketing messages/emails from me must be relevant and connected to my products/services? This means that relevance is important?

Relevance is important to the extent that the data subject can reasonably expect to receive such kind of communication. If I am the buyer of a company I can reasonably expect to receive offers and promotions from my company’s suppliers. In particular if in our commercial relationship I accepted to receive promotions signing consent.

Of course, this would not apply if I were the company HR manager. Why should I receive offers from this supplier? How did they get my email? The aim of GDPR is to not surprise your customers. 

Article 5 GDPR lists the principles of data processing states at letter b) that data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;” using the HR manager email is incompatible with the marketing purpose of sending offers because that manager has no decision power on your offer. 

The following letter c in Article 5 GDPR states also that data processing shall be: “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);”

That is where relevance comes into evidence. Of course, the data controller can estimate that sending offers to all management is relevant and adequate to his purposes, he/she will need to demonstrate such relevance and adequacy. In fact, paragraph 2 GDPR closes Article 5 GDPR affirming that: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”

If you are able to demonstrate that sending promotional emails to non-relevant persons in your customers’ companies comply with principles of the data processing listed in Article 5 GDPR, you will be free to send these emails. 

3) If I search on the Internet for a company and the relevant person to speak to about what I am selling, openly provides this information and is thus freely available on the public domain, then it is still not compliant to send them an email? This means that information that is in the public domain and openly presented to the public as having that title or role is still not appropriate to send him/her a cold email? Please provide the GDPR clause for this point?

You need to approach to personal data available on the public domain asking yourself “why those data are available?” Someone presenting him/herself as company CEO is claiming his role, he/she is not asking for receiving unsolicited promotional emails. 

You can discuss about the company and you can send a cold email, relying on the legitimate interest as a legal basis for data processing. 

Article 6 par. 1 (f) GDPR states that data processing is lawful when: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate interest can be a commercial interest. You need to verify those steps:

1. identify a legitimate interest;
2. how that the processing is necessary to achieve it; and
3. balance it against the individual’s interests, rights and freedoms.

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

4) A further example of public domain information that is freely available is LinkedIn social media which is purpose-built for networking between business individuals. Individuals openly make themselves available to be communicated with. LinkedIn also provides a communication message box to approach a potential customer. Please provide the GDPR clause for this type of communication in social media?

GDPR is a non-technology related regulation. It aims to protect personal data independently from the means of communication used. You need to apply principles of data processing and lawfulness of processing as proclaimed in Article 5 and 6 GDPR to all means of communications.

Therefore, you can use your legitimate commercial interest and send a cold message to the relevant person (principle of minimization) of the company to approach a potential customer. You need to apply the three steps verification and be sure that there is not a less intrusive way to contact the potential customer.

5) The only method in which to engage with a person from a company is to send an unsolicited email invitation to the person to ask if I can send them marketing information. Is this not contradictory? because "sending them an offer in order to send them an offer" makes no sense to me. Can you provide the defined and explicit clause in the GDPR to reference the definitions and explanations of this point?

As I said above, your unsolicited email will lay on the commercial legitimate interest ground-based on Article 6 (f) GDPR. This legal ground allows you to introduce yourself and your company. In order to send to the potential customer promotional emails, you need to act on a different legal ground which is consent under Article 6 (a) GDPR. 

Remember that Article 83 par. 5 (a) GDPR provides the highest fines for breach of the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9. The fine is up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

6) If I sell multiple products and services and the person opt-in for certain products/services and opt-out for other products/services. Where or how does the GDPR allow or disallow further promotion to an opt-in customer but opt out for specific product/service? Please provide the GDPR clause for this point?

Article 21 par 2, 3, 4 GDPR provides your answer. Your customer has the right to object to the processing of personal data for direct marketing purposes at any time. If he/she objects you cannot process his/her data for those purposes. Allowing your customer to opt-out for some products allows you to continue processing for the others. 

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Here you can find the full wording of reported GDPR Articles:

Article 5 GDPR: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/

Article 6 GDPR: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/

Article 21 GDPR: https://advisera.com/eugdpracademy/gdpr/right-to-object/

Article 83 GDPR: https://advisera.com/eugdpracademy/gdpr/general-conditions-for-imposing-administrative-fines/ 

Writing quality manual and nominating quality manager when we implement ISO 17025:2017

Indeed, although ISO 17025:2017 does not specifically require an appointment of a Quality Manager, nor a documented Quality Manual; it does not imply you cannot do so. You can include a quality manual as part of your documented management system and you can nominate a quality manager.

ISO 17025 specifies general requirements, to ensure competency. Your laboratory must establish a management system that suites your needs, to meet your objectives. In identifying suitable management, authorities and responsibilities, you can have one or more personnel performing the Quality Management functions. Likewise, when you establish processes and documents to meet ISO 17025 mandatory requirements, you could also include information in a quality manual, to describing the organization’s structure, the general requirements of impartiality and confidentiality and other processes that do not specifically require documented procedures. It is also a central place to reference mandatory documented procedures. A Quality Manual is included in the ISO 17025 toolkit. Have a look at the ISO 17025 document template: Quality Manual at https://advisera.com/17025academy/documentation/quality-manual/

It is important to understand the intent behind the revision, to help you implement ISO 17025 effectively. Have a look at the article ISO/IEC 17025:2005 vs. ISO/IEC 17025:2017 revision: What has changed? at https://advisera.com/17025academy/blog/2019/11/13/iso-17025-2017-vs-iso-17025-2005-key-changes-infographic/

Minimum time frame to implement ISO 13485 to Stage 1

The time necessary for the implementation of ISO 13485:2016 depends on the number of the employees, how many and how complex your processes are; and what your medical device is (is it low-risk medical device, do you have sterilization process, is it software). Usually, for the company with 10 employees, it is necessary some 2-3 months for companies, and for companies with up to 50 employees, it takes some 6-8 months. 

Here you can find a Checklist of ISO 13485 implementation and certification steps:

• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

Although this article is written for ISO 27001, the content is universal, so maybe you will find it useful:

• The documentation myth – Why the templates are not enough? https://advisera.com/27001academy/blog/2012/04/24/the-documentation-myth-why-the-templates-are-not-enough/

• ISO 9001 vs ISO 22000

  I’m not an expert on ISO 22000 and Advisera does not provide services about ISO 22000. However, I invite you to check that both standards have a common structure (the so-called High Level Structure) and it is straightforward to integrate clauses 4, 5, 6, 7, 9 and 10.

  Major differences are around clause 8 in both standards.

  With ISO 9001:2015 you are working with:

  8.2 – handling customers’ orders
  8.3 – developing new products
  8.4 – purchasing materials, services and processes
  8.5 – manufacturing the products
  8.6 – controlling quality
  8.7 – treating non-conforming product
   

  With ISO 22000:2018 you are working with food safety:

  8.1 Operational planning and control
  8.2 Prerequisite programmes (PRPs)
  8.3 Traceability system
  8.4 Emergency preparedness and response
  8.5 Hazard control
  8.6 Updating the information specifying the PRPs and the hazard control plan
  8.7 Control of monitoring and measuring
  8.8 Verification related to PRPs and the hazard control plan
  8.9 Control of product and process
   

  Please check this article - Similarities and differences between ISO 9001 and ISO 22000 - https://advisera.com/9001academy/blog/2018/11/20/similarities-and-differences-between-iso-9001-and-iso-22000/

• ISMS roles and responsibilities

  This is not sufficient, because not only the ISMS champions must know about their information security responsibilities, but also all personnel included in the ISMS scope, so they can know who to look for in case of a situation related to information security.

  In  this case, you must also consider:

  • Document information security roles and responsibilities in the policies and procedures used by the organization.
  • Provide awareness and training sessions for all personnel included in the ISMS scope.

  This article will provide you a further explanation about documenting roles and responsibilities:

  • How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

  These materials will also help you regarding roles and responsibilities:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• ISO 22301 gap analysis

  Please note that ISO 22031 does not require a gap analysis to be performed, and it is not recommended for smaller companies, because, in general, it is not worth the effort due to their size and complexity. As an alternative, you can use the internal audit checklist, located on folder 10 Internal Audit, to make a quick assessment of your situation.

• Ecosystem degradation cause

  Environmental changes that cause ecosystem degradation are based on many factors including:

  • Urbanization
  • Population growth
  • Economic growth
  • Intensification of agriculture
  • Increase in energy use
  • Increase in transportation

  
  You can find more information about ISO 14001 below:

  • Protect and improve biodiversity performance by implementing ISO 14001 - https://advisera.com/14001academy/blog/2019/09/09/iso-14001-and-biodiversity-how-to-improve-performance/
  • Enroll for free online training - ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

• Internet Access

  Although ISO 27001 does not prescribe access to the Internet only through the organization as mandatory, what happens in real life is that this is more a common sense for business practice, as survival and competitive question than a standard's requirement (most of the businesses and their relations go through the Internet).

  Considering that, when organizations resources, like email services, are available through direct access to the Internet (e.g., to allow remote work), a common practice is the usage of access through Virtual Private Networks (VPNs), where the organizations implement controls such as protected communication, and access control to limit external access to authorized users, only to needed information, and also can monitor activities and information flow.

  A third important point is awareness activities, so employees can understand the importance to access the Internet only through the organization, and the consequences on direct access.

  This article will provide you a further explanation about network controls:

  • How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/

  This material will provide you further information about employee awareness:

  • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

• Procedure for clinical trials

  Yes, you are right. Unfortunately, in our toolkit there is no procedure for clinical trials because, in MDR 2017/745, requirements for documents for clinical investigation are very detailed described in Article 63, Article 72, and in Annex XV (Chapter II and III). Further on, clinical trials must be performed according to harmonized standard ISO 14155:2011 Clinical investigation of medical devices for human subjects — Good clinical practice. In most cases, clinical trials are conducted by specialized companies. 

  Which documents are necessary for medical devices you can find in the following material: 

  • EU MDR Checklist of Mandatory Documents https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents