Search results

DPIA, consent and other EU GDPR questions

1.What documents in the  EU GDPR Premium Documentation Toolkit toolkit are mandatory?

You can find a list of the mandatory documents on the  EU GDPR Premium Documentation Toolkit product page under the "Toolkit Documents" subsection: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

2.Usually how many DPIA does a medium size company need to perform?

The number of DPIAs depends on the number of your processing activities as well as on their complexity and the effect that they may have on the rights and freedoms of the data subjects. You can find more about DPIAs in this free webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/).

3.Can an employer ask consent from employees for sending their data outside the EU ?

 Consent is not recommended to be used as a lawful base when dealing with employee personal data. I recommend using legitimate interest instead.

4.Is ISO27001 enough in terms of security measures?

 ISO27001 is a best practice when it comes to security and usually, it should be enough as long as the security measures cover all the processes where personal data are involved.

5.When does a company outside EU need to appoint a representative?

Where the offering or monitoring tests apply, the controller or processor must appoint a representative. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, is unlikely to be a risk to individuals and does not involve large scale processing of sensitive personal data.

6.Is it a specific formality?

Yes, there is you can find a representative appointment letter in our EU GDPR Premium Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/).

Risk assessment and asset management

According to ISO 27001, risk assessment should be done first - once you identify and evaluate all the risks, then you can start implementing security controls - in ISO 27001 Annex A section A.8 "Asset management", there are in total 10 controls that deal with asset management. 

These articles will also help you:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ 
• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ 
• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ 

These materials will also help you regarding risk assessment and asset management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

ISO 9001 external document control

When I audit organizations, I find different document control methodologies in place. Some organizations stamp their controlled documents as “Controlled Copy”, and other organizations do not stamp their controlled documents. 

ISO 9001:2015 is very generic and does not provide any “how to” control documents. So, my answer is: you have to follow what your internal procedures require. Remember you can have different procedures for internal and external documents. It is up to your organization to define the rules. As an auditor I just want to check if documents are in the right version and accessible by who needs to use them. And of course, to check if the organization follows its internal rules. There is no technical answer to your question, it is just a matter of opinion.

The following material will provide you information about external documents:

- ISO 9001 – What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

DPO tasks and responsibilities

The DPO’s tasks are defined in Article 39 as:

• to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
• to monitor compliance with the GDPR and other data protection laws, and with your data protection policies, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
• to advise on, and to monitor, data protection impact assessments;
• to cooperate with the supervisory authority; and
• to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, etc).

You can learn more about the tasks of the DPO from this webinar “Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/)

The culture of an organization

ISO 9001:2015 does not require the study of the culture of an organization. There is only one mention to culture, in note 3 to clause 4.1.

While determining internal context issues one can consider the organization’s culture. For example, the experience and proficiency in working for a particular set of customers, the ability to develop new products in a short period, the capacity to develop and optimize very efficient processes.

The following material will provide you information about the context of an organization:

- ISO 9001 – ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- ISO 9001 - How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/9001academy/free-download/case-study-for-iso-9001-2015-transition-in-a-construction-company
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 17025 implementation

If you are referring to a company providing a calibration service to testing laboratories (i.e. they are a calibration laboratory) then yes, they need to implement and be accredited to ISO 17025.

If you are asking if it is compulsory for a company providing a testing service (i.e. they are a testing laboratory) and they only calibrate the equipment they use for those tests inhouse, (i.e. they do not use an accredited calibration service), then yes, they need to implement and be accredited to ISO 17025 for the calibration activity to ensure metrological traceability of their test measurements. The testing activities themselves will need to be accredited if the sector, customers or legislation require it. For many sectors, however, it is voluntary to be accredited for the testing activities. 

If the company is not a calibration or testing laboratory but using equipment for example, for manufacturing, and they are calibrating their equipment themselves (in-house), the type of sector will dictate what accreditation is required. For example, for any pharmaceutical production, Good Manufacturing Practice (GMP) accreditation will be required for the production activities. 

In any case, the confidence in the quality of the results is achieved through implementing a management system based on ISO 17025 for calibration activities. The traceability of the measurement must be ensured through a formal unbroken chain of calibrations using references traceable to international measurement standards. 

The following may be of interest:

• Calibration of measurement equipment https://community.advisera.com/topic/calibration-of-measurement-equipment/
• Project Plan for ISO/IEC 17025 implementation - https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation
• Checklist of ISO 17025 implementation steps - https://advisera.com/17025academy/blog/2019/08/28/checklist-of-iso-17025-implementation-steps/

Business Continuity Management System

There is no pre-defined list of business continuity competences because each company will have different training requirements for their employees - e.g. one company might be using cloud systems for recovery, while another will use secondary location with their own data centre - therefore, competences in those two companies will be very different. 

ISO 22301 standard also does not provide any list of "default" competences. 

In general, your project manager and business continuity coordinator will need to be competent in ISO 22301 standard, while the competences of all other employees will depend on their roles. 

This article will also help you: How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/ 

ISO 9001 certification vs accreditation

There are two important words in your question: certification and accreditation.

There are four actors in your question: IAF, the accreditation body, the certification body and your organization.

First what is the difference between certification and accreditation.

- Certification is when a certification body issues a certificate stating that a company is compliant with a standard.

- What is the accreditation, then? In order for certification bodies to be able to perform the certification audits and issue the certificates, they need to get a license – and this license is called accreditation. So, certification bodies are getting accredited, while companies are getting certified. (The certification body needs to be compliant with the standard ISO 17021 if they want to get accredited for certifying management systems.)

There is usually only one accreditation body for each country (e.g., UKAS for the United Kingdom), while there are several certification bodies operating in each country.

Have you ever wondered if a company claiming to be certified is really certified? I always recommend: Look for the certification body name. Then, look for the name of the accreditation body that accredited that certification body. Then, look to see if that accreditation body is included in the International Accreditation Forum (IAF) list. 

The following material will provide you information about certification and accreditation:

- Accreditation vs. certification vs. registration in the ISO world - https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/
- Accredited ISO certification versus non-accredited: What it means and why it matters - https://advisera.com/blog/2019/09/16/accredited-iso-certification-versus-non-accredited-what-it-means-and-why-it-matters/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Quality Agreement template

No, unfortunatelly we do not have Quality Agreement template in our Toolkit. The purpose of Quality agreement is to define all obligations and responisibilities between manufacturer of medical devices  and supplier. However, obligations and responsibilities differ from supplier to supplier (it is not the same whether it is a supplier of critical raw material, some service or some consumables), and therefore it is difficult to unify it. If you tell me which supplier it is, I can help you with the specifics of the contract. As part of the toolkit, you can schedule a call with our ISO 13485 expert, and there you can discuss what you should include in such an agreement.

ISO 9001 certification for individuals

What kind of certification are you thinking about?

An ISO 9001 certification as for companies is not very useful, unless you have a one-person business and think about certifying that business.

A certification as Lead Auditor or as Lead Implementer might be useful for developing your activity as auditor or consultant.

The following material will provide you information about certification and courses:

- ISO 9001 – ISO 9001 Certification - https://advisera.com/9001academy/iso-9001-certification/
- ISO 9001 – Free online training courses - https://advisera.com/training/iso-9001-courses/