Search results

BCR, DPO and judicial data

1. Can you please explain a bit if having BCRs in place we will be compliant with the GDPR?

Binding Corporate Rules are internal rules for data transfers within multinational companies. Binding corporate rules are like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection. So, they are only useful when it comes to performing intragroup data transfers.

2. Are any specific requirements on how to process data about the health of our contractors?

Health data is special category data and you can only process it in your case if you have a legal obligation dictated by the health and safety maritime laws. For example, you can ask the staff you employ as sailors to bring proof that their health condition allows them to perform specific tasks.

3. How about judicial data? We are required to ask for the criminal record of the crew before hiring them.

The same rules apply to judicial data as well. However, you should only ask for a criminal record but not for documents pertaining to the specific offenses that a person committed.

4. Do we need to have a data protection officer?

Depending on the size of the company and also if you are your core activities consist of processing sensitive personal data on a large scale (including processing information about criminal offenses) you may need a DPO. Since I know that your company is not so big and your core business does not consist in processing sensitive data would say you don`t need a DPO.

5. Do we need to register as processing health and judicial data?

This is dependent on where your company is registered. As far as I know, Greece does not require companies that process personal data to register to the Data Protection Authority.  

SOP naming conventions

First, I would like to point out that you do not need to change your documentation to meet the structure and terminology of the AS9100 Rev D standard. This is clearly outlined in Annex A1 which states “ there is no requirement in this international standard for its structure and terminology to be applied to the documented information of an organization’s quality management system&rdquo. It goes on to clearly state that “Organizations can choose to use terms which suit their operations (e.g. using “records”, “documentation” “protocols” rather than “documented information”…). So, in short, the standard clearly states that you do not need to re-number procedures or change your terminology to comply with AS9100 Rev D.

My advice to you would be to not re-align your documentation to the numbering of the standard, and instead go with your thought of e.g. OPP001 is for purchasing. You can then number them in any order that makes sense for you (such as in the order that they appear in your overall process flow), and file them again in an order that makes sense (not even aligning to the standard if this does not help you). The idea of the standard is not to force you to confuse your staff with numbering and terminology changes that do not make sense to them, but to allow you to make the system work for you, yet make it flexible enough that any organization can use it. It is also a good time to purge any documents that are really not helping your QMS succeed if it is no longer a requirement of the standard.

To make sure you are not missing any mandatory documents from AS9100 Rev D, see the whitepaper: AS9100 Rev D List of Mandatory Documents, https://info.advisera.com/9100academy/free-download/as9100-rev-d-list-of-mandatory-documents

Processing biometric data

First advice will be not to use any biometric data. Considering the scope of the processing namely loyalty cards I would strongly advise you not to process any biometric data.

If you still want to proceed you would need the express consent of the users as well as performing a Data Processing Impact Assessment.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

Evidence of failure of the error-proof device

Error-proofing devices have a simple objective to make products or process without any defects. If there is a defect of any kind, then the error-proofing devices are not achieving its objective. Then it is a failure.

You can make evidence on the paper report of device performance or using software to have it recorded. Most error-proofing devices have their software that is generating reports about performance. Those reports are fine evidence.

For more about error-proofing please read the article: 

How to establish an error-proofing process according to IATF 16949 https://advisera.com/16949academy/blog/2017/10/11/how-to-establish-an-error-proofing-process-according-to-iatf-16949/

Validating Conformio software

Yes, it is necessary to validate Conformio software. Conformio is verified by our internal testing. The simplest way for a client to validate Conformio is to create a list of the functionality and behaviors it expects from Conformio and check them in software. Of course, each client will have their own specific requirements. Here are some specific points that can be covered:

Data integrity - can the data be changed inadvertently? Or if inadvertent changes occur, are they flagged &/or detectable?
Document metadata has a full history in Conformio, and document data changes are tracked by Word’s Track changes feature. Each separately saved version of the document can be accessed, there is full history and older versions are kept. The user can choose to overwrite the existing version, though (this is a must-have requirement from some other customers).
Files can be locked from later changes (status Approved), and for Word documents, Track Changes can be turned on (but can be turned off by the user). Currently, track changes can be turned off and can be 'accepted' by users, without a record of what changed.
Access to data/files

There are several levels of access to Conformio:
Accessing the Conformio platform: through username and password
Accessing the specific project: the account administrator defines the project access through Project Settings or through the Users module; also, the Project Manager on the project can allow access to a user through Project Settings
Accessing folders/files: the folder Owner, Admin or Project manager can grant access to a user.
Audit trails
Changes in documents metadata are shown in the Notification bar and in the Overview tab.
Changes on tasks (changing the Assignee, due dates, etc) from projects and Compliance modules are shown in the Overview tab...

ISO20000 - Design and Transition of New or Changed Service

Design and Transition of new or changed services is related to other processes, as you noticed. Process description in our ISO 20000 documentation toolkit defines activities related to the process - you can find it here https://advisera.com/20000academy/iso-20000-documentation-toolkit/

Service Catalogue process is not covered in ISO 20000 documentation toolkit, but you can see a preview of the document here https://advisera.com/20000academy/itil-documentation-toolkit/

The following article can help you with design and transition process

“Overview of ISO 20000:2018 structure and requirements” https://advisera.com/20000academy/blog/2019/09/05/iso-20000-requirements-and-structure/

For more about Service Catalogue please read these articles: Service Catalogue – Defining the service” https://advisera.com/20000academy/blog/2014/03/11/service-catalogue-defining-service/ 
Choosing four main inputs for the ITIL/ISO 20000 Service Catalogue to avoid bureaucracy” https://advisera.com/20000academy/blog/2015/09/29/choosing-four-main-inputs-for-the-itiliso-20000-service-catalogue-to-avoid-bureaucracy/

Safe distance for redundant sites

ISO 22301, ISO standard for business continuity management, and most regulations and industry practices do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, I suggest you start a discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).

This article will provide you a further explanation about distance of recovery site:
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

This material will also help you regarding the distance of recovery site:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISMS awareness

This is one way to evidence awareness, but you should also consider other alternatives, since this document is normally signed at the beginning of work relationship and stored in the employee file.

Like other methods of awareness, you should consider training sessions, and use of newsletters, which can be performed at a regular basis.

These articles will provide you a further explanation about awareness:
- What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

This material will also help you regarding awareness:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

Quality Manual best approach

The best simple approach would be to cover all requirements of the standard with a simple explanation of how your company complies with them. You should also include a link that will lead to a document that describes with more details how you meet the requirements of the standard

For more about Quality Manual, please read the article: How to write the IATF 16949 Quality Manual https://advisera.com/16949academy/blog/2017/05/31/how-to-write-the-iatf-16949-quality-manual/  

For a shorter version please read the article: Writing a short Quality Manual https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/

Concern about corporate quality policy

Think about the purpose of a quality policy: aligning people around a set of priorities.

I will give you my thoughts, I will write about my own practice. When I work with an organization’s top management in developing their quality policy I recommend thinking about a set of questions:

• Who are your target customers and other very relevant interested parties?
• What are the most important requirements for those target customers and other very relevant interested parties? In other words, what do they value and look for?
• In what activities should your organization be excellent to be able to satisfy target customers and other very relevant interested parties?

After discussing the questions and answers and after arriving at some consensus, I invite the organization to write a text with the following structure:

• To whom do we work (We work for clients that value …) 
• What are our top priorities. In what things we need to be excellent
• Add the commitments included and required by ISO 9001
   

The following material will provide you more information about quality policy:

How to Write a Good Quality Policy – https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/

[free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

[free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/

Book - Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/