Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Lead generation service
Answer:
The lead generation service that you buy your services from would need to be GDPR compliant before sending you the data. After the application date that is. -
Consent under the EU GDPR
Answer:
Where consent has been given under the Data Protection Directive, it will continue to be valid under the EU GDPR only if it also meets the requirements of the Regulation.
This may be difficult given the new and stringent requirements for consent. If the consent is does not meet the requirements of the EU GDPR you should consider approach the existing customers or to obtain a fresh consent that is valid under.
Consent under the EU GDPR needs to be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. This means among others that:
- Inactivit y or silence is not enough and the use of “pre-ticked boxes” is not permitted so the opt-out solution will not work.
- “Bundle consent” is not allowed. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately.
- The individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it.
If your consent does not comply with these requirements you would need to approach he data subjects again to obtain fresh new EU GDPR compliant consent.
You might find these materials on consent useful for your task:
- https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/;
- https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/;
- https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ -
Integrity, responsibility and security of the data systems
Answer:
ISO 27001 is a good starting point and it constitutes a best practice in terms of implementing technical and organizational measures to protect company IT assets including data and personal data as well (if you have defined personal data as an asset). You can check out this article https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/ -
Notice in local language
Answer:
Yes, the notices need to be written in "clear and plain language". This also includes the fact that all the affected data subjects would need to understand the content within. -
QMS as a preventive system
Answer:
You are right in one important point. The whole QMS is, or should be, a preventive system. Your procedures and instructions reduce risks, they prevent wrong things from happening. But, please, check the definition of risk. There is an important point: uncertainty. Your procedures and instructions can’t consider everything. You should review activities and procedures/instructions to evaluate if there are new risks to be considered worth of changes in the way of acting.
The following material will provide you in formation about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Shortning the quality manual
When I saw in the content “Job preparation (very detailed check-list of tools and…” I remembered quality manuals made in the late 80’s, because the standard at that time mentioned that the manual should refer to the documentation or include it. As you know, ISO 9001:2015 does not require a quality manual nevertheless most organizations are keeping a document that they call the Quality Manual, or the Management System Manual. I advise you to proceed with your idea or making it as short as possible, perhaps 10 pages. 10 pages where you answer to questions like:
a) Who are we?
b) What do we do?
c) Whom do we serve?
d) What kind of compromises do we assume?
e) How do we work? (where you can map your processes)
Your idea of a separated Operations Manual for example, seems very good.
Please see bellow some material with information about the quality manual:
- ISO 9001 – Writing a short Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk based approach
Answer:
1. For example, in a Test Lab setting or in an Inspection Certification Body I would act in the same way:
a) what are the overall results that you intended to meet with your QMS in those settings?
b) did you map the processes for each of those settings? For each process, what are the overall intended results? For each process, what is its purpose?
c) for each service provided by each setting, what are the performance objectives, the specifications?
Then, for those three kinds of expected results you can ask: what can go wrong? In what ways can those expected results not being met? Each of those ways of failure is a risk. That would be my starting point. I would improve this baseline assessment with iterations done after non-conformities and performance evaluation.
2. ISO 31000 is for doing more than what is requested by ISO 9001:2015. It gives guidance, for example, about possible types of actions concerning risk mitigation, risk avoidance and risk reduction.
Please see bellow some material with information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Time scale for assessments
< 1 hour
1 hour < 4 hours
4 hours < 24 hours
24 hours < 2 days
1 week
Would the results be affected drastically compared to the initial time scale assessments?
Answer: The values presented in the template for time scale can be changed to fit your organization's needs without problem. They are only examples based on our experience, and changing them won't have effects on your results considering your organizational context.
This material will provide you further explanation about continuity strategy:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
BIA questionnaire content
Answer: The items identified are only examples. You should evaluate your organizational context to identify which to include or not, as well as include other items not mentioned in the list.
This materisl will provide you further explanation about BIA questionnaire:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Internal audit scope
Answer: Broadly speaking, you should consider the areas responsible for ISO 27001 main requirements (e.g., document control, risk assessment, management review, corrective actions, etc.), and the areas where the applicable controls stated in SoA are implemented. If you plan a single audit, all the controls stated in SoA should be audited. If you are planning multiple audits, then you can audit part of the controls stated in SoA on each internal audit, but you have to ensure that all controls were covered by your planned audits.
This article will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/ books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/