Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • EU GDPR questions

    How can an authority in the EU fine a company in India or another country outside the EU?

    Based on art 27 of the EU GDPR the controller or processor must appoint a representative. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, is unlikely to be a risk to individuals and does not involve large scale processing of sensitive personal data. Although there is no best practice on this, most likely the fine will be issued to the representatives.

    Do you have some materials to help me understand how to start a GDPR program?

    I would suggest starting by going through our article  “9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/) as well as this webinar “An overview of steps needed to comply with GDPR” (https://advisera.com/eugdpracademy/webinar/an-overview-of-steps-needed-to-comply-with-gdpr-free-webinar-on-demand/).

    Do you have some materials that I could present to the management of the company to make them aware of the GDPR?

     Please check this Power Point presentation that you can download freely from our website “Why is privacy important for our company? - Awareness presentation” (https://info.advisera.com/eugdpracademy/free-download/why-is-privacy-important-for-our-company-awareness-presentation).

    If we have access to data of EU users do we need to do anything special? We usually get data from EU companies and we do data cleaning removing duplicates.

     Based on the description provided you are acting as a processor and you act on the instructions of your clients. Usually, your clients would need to have you sign a Data Processing Agreement where you would commit yourself to process personal data based on the instructions of the data controller.

    We also receive some personal data from our clients' employees when they enter tickets. Is there something specific to consider?

    When collecting personal data you need to present to the data subjects a Privacy Notice explaining to them why you need their data and what you are using it for. If you want to find out more about Privacy Notices check out this free webinar “ Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

    How much time do we need to keep the personal data?

    Unless there is a specific legal obligation that sets up a specific retention period you can define a retention period yourself bearing in mind that the date should not be kept for longer than is necessary.

    Are some specific security measures to be deployed?

    The EU GDPR only specifies at art. 32 some examples of security measures that can be employed. However, these are mere examples and is up to the controller/processor to define adequate security measures. A good example and best practice are the security measures in the ISO27001 Standard.

    Can you recommend a site to get GDPR updates?

    I would suggest going first to the European Data Protection Board website (https://edpb.europa.eu/edpb_en) as well as the websites of the Supervisory Authorities in the EU such as the ICO (https://ico.org.uk/). You will also find useful information on our website as well at https://advisera.com/eugdpracademy/what-is-eugdpr/

    Also, we received a request from a client to present out Records of Processing Activities. What are these?

    If you act as a controller, you must keep a record of the following information:

    ·         your name and contact details and, where applicable, any joint controllers, representatives and data protection officers;

    ·         the purposes of the processing;

    ·          a description of the categories of data subjects and of the categories of personal data;

    ·         the categories of recipients, including recipients in third countries or international organizations;

    ·          details of transfers of personal data to third countries (where applicable);

    ·          retention periods for different categories of personal data (where possible); and

    ·         a general description of the security measures employed (where possible).

    If you act as a data processor, you must keep the following records:

    ·         your name and contact details and, where applicable, representatives and data protection officers;

    ·         the name and contact details of each controller you act for including, where applicable, representatives and data protection officers;

    ·         the categories of processing carried out on behalf of each controller;

    ·         details of transfers of personal data to third countries (where applicable);

    ·          a general description of the security measures employed (where possible)

     Do we need to have them?

    This document is mandatory if

    ·        (a) the company has more than 250 employees; or

    ·        (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning, a natural person’s sex life or sexual orientation); or (e) the processing includes personal data relating to criminal, convictions, and offenses.

  • Audit Non-conforming work

    I understand from your reference to an audit nonconformance that your laboratory may not have adequately addressed competence, impartiality and consistent operations in the Quality Policy and Objectives; and you are asking how to correct this? 

    ISO 17025:2017 clause 8.2.2 requires that the policies and objectives of a laboratory are established to support the scope and purpose of the ISO 17025 standard and the quality management system of a laboratory. The role of the Quality Policy is to bind the management system together in a singular vision of what quality means to the laboratory. It essentially sets the stage for establishing objectives and the design of all laboratory processes to ensure competence, consistent operation and safeguard impartiality. 

    When looking at the gaps in the Quality Policy and Objectives, start by reviewing the laboratory’s context, i.e. the circumstances – sector, accreditation, legal entity; scope of work; and identify all interested/involved parties. For example, a parent company or board of directors may have a strategic direction and an ethics policy which the laboratory needs to be in line with. The accreditation body that audited your lab is also an “interested party”; as are regulators in your sector. These parties may have specific requirements to be met. Once you have relooked at these core issues, revise the quality policy and quality objectives to address the gaps. For example, include a statement that “Management is committed to performing activities to ensure impartiality through continual identification of risks to its impartiality and taking appropriate action to mitigate them”.  

    Commitment to competence and consistent operation is a thread that must run through all laboratory processes. State and provide evidence of commitment and investment in quality control, personnel training and evaluation; equipment maintenance and calibration. State how the laboratory plans to support these policies and achieve objectives.  Ensure effective planning, doing and checking (monitoring). Lastly, record and act on observed improvement or deviations to drive consistent operation. 

    The ISO 17025 Toolkit provides useful guidance and templates to assist with effective implementation. Have a look at:

    The following articles could also be helpful:

  • Emergency categories

    ISO 14001:2015 does not provide either in the text of the standard (Clause 8.2) or in its annex (A.8.2) any requirement for the classification of emergency situations in categories. ISO 14001:2015, clause 8.2 c) provides some guidance for the need to classify each emergency situation. Each organization should define what is the best technique for doing that. Once I worked at a chemical industry manufacturing plant with high environmental impacts associated to emergency situations. We used categories because they were very useful to communicate standardized response actions to everybody in the plant, easily and without going into details. 

    The following material will provide you more information about emergency situations:

    5 steps to set up an emergency plan according to ISO 14001 - https://advisera.com/14001academy/blog/2014/07/23/5-steps-set-emergency-plan-according-iso-14001/
    ISO 14001 emergency preparedness and response - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-emergency-preparedness-and-response/
    Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
    Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
    Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

  • Quantifying perceived quality

    Please check the use of a Likert scale. You define a scale and you characterize what should be included at each level, for example with a description to minimize subjectivity. You can also use a Likert scale when you ask an opinion to customers something like:

    🔆 - Awful

    🔆🔆 - Bad

    🔆🔆🔆 - Average

    🔆🔆🔆🔆 - Good

    🔆🔆🔆🔆🔆 - Awesome

    Please check also the SERVQUAL research instrument and SERVPERF specifically for perceptions/expectations.

    The following material will provide you information about customer satisfaction: 

    - ISO 9001 – Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/

    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Security assurance and Security assessment

    Do you respond to Security assurance questions? 

    Not sure if I understood your question correctly, but if you purchase our documentation toolkits https://advisera.com/27001academy/product-tour/ then we will answer any of your questions regarding security implementation. 

    Can you provide an exec summary of Security assessment and remedial action?

    If your question is about the risk management process according to ISO 27001, here are the materials that can help you:

    These materials will also help you regarding risk assessment and treatment:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
    Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course
    https://advisera.com/training/iso-27001-foundations-course/

  • Applicability of A 14.2.2 Change Management for staff augmentation companies

    The exclusion of controls in ISO 27001 can be made only if there are no related risks, and if there are no legal or contractual requirements.

    So you have to perform risk assessment and review all the requirements, and then you can conclude whether you can exclude this control. 

    These materials will also help you regarding exclusion of controls, managing risks and listing requirements:

  • Work Instruction

    ISO 27001 does not prescribe how to format the documents, in other words you're free to use the headings and the structure in your working instructions as you see fit. 

    Of course, it might be easier for the users of your documents to see the same style in all documents, but again you have to estimate if this makes sense. 

  • Interested parties requirements

    You can schedule a meeting with the relevant people of your organization (those that are familiarized with the different processes of your company, such as heads of department or top management) in order to conduct a SWOT analysis (strengths, weaknesses, opportunities and threats).  This analysis is going to help you to understand the internal and external issues of your organization as well as the relevant interested parties and their needs and expectations plus risks associated. Some interested parties may include: shareholders. customers, employees, government, etc. You can write a procedure to state this process, although it is not necesary, it can help you to conduct it in a systematically way. 

    For more information about how to identify the interested parties of your organization and addressing risks and opportunities, see the following materials: 

    - Article - How to determine interested parties and their requirements according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015//

    - Article . How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 27001 helping in implementing ISO/IEC 17024

    The official title of ISO/IEC 17024 is "Conformity assessment — General requirements for bodies operating certification of persons" - so this standard is about how training organizations need to be organized in order to issue certificates to its students. 

    Therefore, ISO 27001 Lead Auditor or ISO 27001 Lead Implementer courses cannot really help you implement ISO 17024.

  • FDA / GMP guidelines

    If I understand the question correctly, you are looking for an answer to whether the FDA / GMP guidelines say when to produce in a clean room. It is not up to the guidelines to tell you whether or not to produce your medical device in a clean room. That is the decision of the Top Management. The guidelines are there to show you how clean rooms need to be installed, how to maintain them, what to measure, how to validate them, and the like. Most often, medical devices that must be sterile are produced in clean rooms.
Page 457-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +