Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Quality and Information Security Manager combined?
Answer:
At small IT organizations (up to 20/30 employees), normally, the same person combines the two roles.
At larger organizations, particularly if the core is not software, like manufacturing, normally, each role is performed by different persons.
The following material will provide you information about combining ISO 9001 and ISO 27001:
- Free webinar – ISO 27001 implementation: How to make it easier using ISO 9001 - https://advisera.com/9001academy/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Design and nonconformities
Answer:
(1) – Who established the product requirements? Why did the customer asked for modifications? If the customer established the initial specifications and:
* now he is asking changes because those specifications were not met, that is a non-conformity;
* now he is asking changes because although the specifications were met, they are not useful during use, that is not a non-conformity.
If the initial specifications were developed by your company and were met, and t he customer is asking for changes, that is not a non-conformity about the product. Perhaps, your company could consider a non-conformity of the service: you want to improve future collection of input information for project development (not may companies follow this way)
(2) – I do not consider this situation as a non-conformity in the design. There is no agreed specification yet, many times this is a trial and error phase.
The following material will provide you information about design and development:
- ISO 9001 - The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Marketing activities
Answer:
The EU GDPR is meant to be applicable in all instances where personal data is being processed including marketing activities as long as is business to consumer. There are no specific sections in the EU GDPR dedicated to marketing or any other processing activities for that matter.
To learn more about marketing and the EU GDPR check out our webinar “How GDPR Affects Marketing Practices” https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Staff training on GDPR
2. Also, GDPR requires staff training, what should be the main focus of training, maintenance of privacy or any other procedures in particular.
Answers:
1. Registration to a Supervisory Authority is subject to local law. For example the ICO requires controllers to register https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/
2. The training should be targeted to the processing activities that your staff are dealing on their day to day activates. Of course all your staff needs to be informed on the basic principles of GDPR but some may need specific training such as marketing staff or security staff.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Convincing top management
So far, I have not been successful to convince the top management that it would be advantageous to educate ourselves about the ISO 27001 and eventually sign to it. I intend to learn the course as soon as possible.
Dejan, perhaps you could give me some tips on how to influence the top management.
Answer: To improve your chances to get support for an ISO 27001 initiative in your organization you should provide real examples of benefits related to:
- compliance to regulations regarding data protection, privacy and IT governance applicable to the organization
- competitive differential that can be achieved by being capable to demonstrate your organization can protect customer information
- decrease in costs incurred by information related incidents
- improving internal organization
Other important point to be considered is t he presentation. For top management you should avoid using technical jargon (concentrate on business benefits).
These article will provide you further explanation about ISO 27001 benefits and top management:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
These materials will also help you regarding ISO 27001 benefits and top management:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Internal and surveillance audits
Answer:
You are mentioning two types of audits: internal or first party audits and third party audits. Certification and surveillance audits are third party audits. After certification audit you organization will have two yearly surveillance audits and three years after certification your organization will have a re-certification audit.
About your organization’s internal audits there is one requirement, not included in ISO 9001:2015 but included in the contract with the certification body: at least once per year in one or more audits all ISO 9001:2015 clauses will be audited.
The following material will provide you information about surveillance audits
- Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Correction vs corrective action
Answer:
When something goes wrong you have a non-conformity. For example, your company sent the wrong product to fulfill a customer order. Or your production line manufactured a product with a defect, or your after-sales service provided the wrong service.
When you have a non-conformity, you need to eliminate it. Correction attacks non-conformities, a correction focus the defect, focus what is wrong and tries to solve the situation. For example, through rework, through scrapping, through downgrading, through a discount with the customer to try to see if he agrees in receiving the wrong product.
Corrective action is done after the correction and has another purpose, try to eliminate the cause behind the non-conformity. When we do an effective corrective action we eliminate or reduce the non-conformity frequency of occurrence. For example, changing a raw-material supplier in order to minimize production problems due to a raw material.
The f ollowing material will provide you information about corrections and corrective actions:
- ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Consent to use personal data
2. When consent is revoked, what is required to be done with the data collected during the time of consent?
Answers:
1. The EU GDPR only deals with personal data. So, using any information that doesn’t constitute personal data is not covered by the EU GDPR. However, consider that that data need to be fully anonymous and that cannot be linked to a specific individual. Another thing to take into account is that the data you are referring to may be protected by other laws such as intellectual property laws so you need to ensure that the data is not protected by any other laws.
2. After the consent is withdrawn no further processing of personal data which was based on is allowed. The data obtained and processed before remains valid as long as the consent was valid.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Scenario 1/Scenario 2
Scenario2: We do not obtain any personal data from anyone (including from EU) to process their clinical trial provided by our sponsors (who obtains consent from subjects). In this case, what are obligation to ensure we comply to EU GDPR.
Answers:
1. Consent is not necessarily required. You just need to provide an adequate privacy notice to the relevant employees pursuant to art. Article 13 of the EU GDPR – “Information to be provided where personal data are collected from the data subject”( https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) and among others the fact that date may be sent outside the EEA. In addition you need to ensure that adequate safeguards are in place to regulate the data transfer such as Standard Contractual Clauses.
To learn more about data transfers check out our webinar “ How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).
2. So you are obtaining personal data from someone namely the “sponsors”. If the personal data you process relates to individuals in the Union then the GDPR is applicable to you. To establish exactly what are your obligations one of the first things you need to do is establish weather you are a controller or a processor.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Legal basis
2. What is the most simple but also complete form of consent we can use?
Answers:
1. You can only chose legitimate interest for marketing campaigns if you consider factors such as:
- whether people would expect you to use their details in this way;
- the potential nuisance factor of unwanted marketing messages; and
- the effect your chosen method and frequency of communication might have on more vulnerable individuals.
Also consider that individuals have the absolute right to object to direct marketing under Article 21(2) – “Right to object” (https://advisera.com/eugdpracademy/gdpr/right-to-object/) , it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication, if the data was not collected directly from the individual).
2. There in no such thing as “simple and complete” because the requirements of the EU GDPR in terms of consent are quite extensive. Thus, consent needs to be freely given, specific, informed and unambiguous indication of the individual’s wishes. You must keep records so you can demonstrate that consent has been given by the relevant individual.
To learn more about marketing and the EU GDPR check out our webinar “How GDPR Affects Marketing Practices” https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/