Search results

Personal Data Protection Policy

No, it is not sufficient because the Data Protection Policy and DPIA (Data Protection Impact Assessment) are different documents for different purposes. 

Data Protection Policy is an internal document that establishes rules on how to process personal data by your organization, while DPIA is a document realized to evaluate risks for the rights and freedoms of data subjects and measures taken to minimize such risks with defined content established in article 35 GDPR. 

Data Protection Policy is a measure taken to increase security in data processing. It is mandatory under article 24 para 2 GDPR only “where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.” 

However, the GDPR allocates the burden of proof of being compliant on the data controller. Therefore, a Data Protection Policy (which is considered an appropriate organizational security measure) is a way to help the data controller to demonstrate compliance.

Of course, most depend on the dimensions and complexity of your organization because any data controller needs to balance costs, complexity, and risks arising from data processing.

You can find more information here:Contents of the Data Protection Policy according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

You may also consider taking our free EU GDPR Foundation course: EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Risk Treatment Table

Please note that ISO 27001 only requires documentation of risks related to information, not about risks and opportunities to the ISMS as a system. Therefore, you should not include them in the Risk Treatment Table, because the purpose of this table is to document the treatment of risks related to information and this can create confusion among users.

ISO 27001 examples of the acceptable evidence

This book provides information  about what to consider when implementing controls (e.g., which documents to write, which responsibilities to define, which actions to perform, etc.), but is does not provide specific examples of acceptable evidences for an audit. Broadly speaking, examples of evidences are:
- logs
- files in the system
- diagrams of the network
- configuration of platforms
- agreements with suppliers or customers
- filled forms

Objective evidence

Unfortunately, a list showing all the evidence that the IATF 16949 standard should have is not available. Companies must prepare the objective evidence according to their own operations for every mandatory ‘’shall’’ requirements item is written in the standard. 

For example, as the requirements of 8.5.1.2 Standardized work- operator instructions and visual standards, machine operating instructions must be in a language that the personnel will understand, operators must have understood these instructions, instructions must be available in the work area and these instructions must include operator safety rules. 

When viewed within this framework, all the evidence required must be prepared, documented and presented by the company.

To get an idea on which kind of records you can use for your management system, see this toolkit:

IATF 16949:2016 Documentation Toolkit   

https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

IATF 16949 implementation

When MSA has to perform?After every calibration?Change of operators/ inspectors?

An MSA study must be carried out for each type of instrument specified in the control plan. MSA study must be done when new measuring equipment is purchased.If any automotive customer, in customer-specific requirements, is stated that there is an obligation to do MAS studies once a year; then MSA studies must be done once a year.

The MSA study should be repeated when the changing measurement system occurs. This includes topics such as measuring instruments or changing operators or measuring methods.      

When the instrument is repaired, the MSA study must be repeated. Normally, it is a good idea to do a gauge study, that is, a Type 1 study after calibration of the measurement device. In particular, Mercedes requests a Type 1 MSA study which is BIAS study after each calibration. 

When we have a large variety of parts or part numbers of various sizes, then how to perform MSA? For all part numbers?

When performing MSA, critical measures should be selected and prioritized accordingly. Smaller sizes should be chosen instead of wide.  MSA is not required for every part. Because the MSA study is done on the measuring instrument, not directly on the part. When choosing parts for MSA study, critical parts and critical features should be taken into consideration. If the variations in the process are largely due to special causes, first, special causes must be eliminated, and the process must be stabilized. Otherwise, the MSA results we get will not reflect the truth.

Is it necessary to mention Work instruction revision no. and date in PFMEA and Control plan?

No, it is not necessary. Just a document number is enough in the PFMEA and control plan. 

In PFMEA, each function/requirement has to be classified as minor, moderate, major or to mention only SC/CC wherever required?

No, it doesn't have to be. The first place to look is the customer drawing or the definition in customer specifications. Critical characteristics must be defined in these documents. It should definitely be included in FMEA and control plans, especially if there is a product safety issue. If not, the experience of the organization from the past and the types of complaints may show these characteristics. Such characteristics come from also the manufacturing process parameters, and these should be included in P-FMEA and control plan.

For more information, please read the following article: 

ISO 13485 Implementation

You can add a new facility to the existing ISO 13485 certificate if the processes on the new facility are covered by the scope of your ISO 13485 certificate. In that case, just inform your certification body that during the next audit you want to make a Scope extension to the new facility.

For more information, read this article:

Migrated mailbox and keeping the copy of the mailbox

On the market, there is plenty of solutions for data retention and deletion and there is no unique answer. In selecting the measures that fit your needs, you need to consider that GDPR aims to assure integrity, availability, and confidentiality of data. Therefore, you can either store data in your local server, but server access must be secured and subjected to authentication, or you can choose to store data in the cloud, but you need to avoid shared cloud and select a solution that meets those targets.

GDPR, in fact, aims to be technologically neutral.

Encryption, antivirus, firewall, and controlled access are among the best technical measures; but, again, you need to verify if the encryption key is strong enough to protect data from unauthorized access, firewall and antivirus are updated to latest threats.

The same applies to data deletion: deleting data before the data retention period can be considered as a data breach because you were not able to guarantee integrity for all the data retention period (consider it when you set that period). On the market, there are tools that allow you to manage consent and deletion automatically, check if these tools guarantee enough security in terms of confidentiality, integrity, and availability.

Here you can find some useful information:A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/

Clause 7.1

Description of roles and related responsibilities (e.g. in our documentation toolkit we put it as a mandatory part of the process description) will provide the required evidence. 
Also, when you document processes in the scope of the SMS – it should be clearly visible who is doing what.

This article will help you - "Defining roles and responsibilities for ISO 20000-based IT Service Management“ https://advisera.com/20000academy/blog/2017/10/18/defining-roles-and-responsibilities-for-iso-20000-based-it-service-management/

And, particularly for smaller organizations, help with few ideas on how to combine roles - "What ITIL roles can be combined in one person?“ https://advisera.com/20000academy/knowledgebase/itil-roles-can-combined-one-person/

Further on, technical resources are your tools used to manage IT services (and tasks) and financial resources – e.g. your budget.
Find more information here:
- "5 things to beware of when selecting an ITSM tool“ https://advisera.com/20000academy/blog/2016/03/08/5-things-to-beware-of-when-selecting-an-itsm-tool/
"Financial Management for IT services – theory and practice“ https://advisera.com/20000academy/knowledgebase/financial-management-services-theory-practice/

ITIL and COBIT framework vs standard

ITIL is a best practice framework and practice(s) is just one of the essential elements for value creation (shortly described here “ITIL 3 vs. ITIL 4 – What has changed and what is new?“ https://advisera.com/20000academy/blog/2019/07/04/itil-3-vs-itil-4-what-has-changed-and-what-is-new/)

This article:

“COBIT, ITIL and ISO 20000 – The main differences” https://advisera.com/20000academy/blog/2019/09/25/cobit-vs-itil-vs-iso-20000-a-comparison/ will help you understand the relation ITIL – COBIT.

Clause 4.4

Objectively, I will say that it is on the non-mandatory list. Clause 4.4.1 states that organizations must determine their processes, their inputs, and outputs and how they interact. Nowhere does it say there has to be a document, but everyone is waiting to see the process map. Clause 4.4.2 is par excellence part of the non-mandatory list. Organizations are invited to reflect on what documents to create for their quality management system.
A clause may not be listed in any of those lists. For example, clauses 5.3, 6.3 or 7.4. An organization may have leadership practices or communication practices and evidence and yet without any non-mandatory document. Same way, an organization may answer to clause 6.1 without considering the need for a non-mandatory document. Only the mandatory list is relevant. The non-mandatory list is a sort of adviser based on Advisera’s experience.

The following material will provide you more information about documentation:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/