Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Auditing AS9100D with transition training only
Answer: The process of auditing is to compare what is actually happening in a process against the planned arrangements. That being said, if you already know how to audit then what you need to update is your understanding of the planned arrangements, and an awareness and transition course will have given you this knowledge. In many cases this is all that would be needed to audit against AS9100 Rev D. I say in most cases because it is up to the company to determine the competence required for internal auditors, so if the company competence requirements are understanding auditing, understanding AS9100 Rev D and understanding internal company processes then it is the knowledge needed to meet these requirement that needs to be demonstrated, and the tr ansition course could be one way to do this.
For some more information on the changes see this article: https://advisera.com/9100academy/knowledgebase/as9100-rev-d-vs-rev-c-what-has-changed/ -
Process mapping?
Answer:
ISO 9001:2015 requires that your organization determines all key processes. “Determines” means that it is your organization that defines and establishes what is a key process, considering the scope of your QMS. ISO 9001:2015 do not use the word map, and do not require any particular visual approach to characterize each process. For example, you can use a table, each process in a row, and each item of clause 4.4.1 of ISO 9001:2015 in columns.
The following material will provide you information about the process approach:
- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/"
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
3rd Party Integrator Question
My question is, do we need to have any integration partner (once again not hired by us) complete a variation of the form, 11-A.13.2 Annex 2-Standard Contractual Clauses for the Transfer of Personal Data to Processors?
Answer:
In the situation described by you it seems that you are sharing the information to those vendors because you are instructed by the controllers to do so.
If this is the case the Controllers should be the ones that requires the vendors you share the information with to sign a Data Processing Agreement. -
Representative srvices
Answer:
If you act as a controller or a processor and you are not established in the EU the EU GDPR will be applicable to you under the following conditions (https://advisera.com/eugdpracademy/gdpr/territorial-scope/) :
- You are offering goods or services to individuals in the EU (even free of charge);
- You are monitoring the behavior of individuals in the EU ;
Where these extra-territorial provisions apply, the controller or processor must appoint a representative. That representative must be based in a Member State.
This is an onerous role to take on, the EU representative will have to face off to the relevant supervisory authorities and accept liability for breach of the EU GDPR which could be substantial. So I am not sure why anyone would want to act as a representative.
So the bottom line is that Advisera does not provide this kind of representative services. -
Acuerdos con proveedores
Respuesta: Vo y en la misma línea que el proveedor de Transmisión Digital, porque supongo que ellos están considerando vuestro proveedor ERP como un proveedor que procesa, o almacena, su información, y desde mi punto de vista, no es necesario tener una relación comercial para intermcabiar información entre 2 partes (por ejemplo, puedo enviarte un email con información confidencial, antes de comenzar una relación comercial, pero antes, te solicitaré que firmes un acuerdo de confidencialidad).
Por otra parte, el Anexo A de la ISO 27001 tiene el control A.15.1.2, que dice : “All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information”. Por tanto, está claro -desde el punto de vista de la ISO 27001- si el proveedor de ERP procesa, o almacena información, es un proveedor que debería firmar un acuerdo con la compañía que tiene implementada/certificada la ISO 27001.
Por último, este artículo sobre el manejo de la seguridad en las relaciones con proveedores te puede interesar “6-step process for handling supplier security according to ISO 27001” : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Análisis de riesgos y acciones preventivas
He recibido esta pregunta: Tengo una duda de como aplicarían las acciones preventivas los fabricantes en la industria farmacéutica si se cambia por análisis de riesgo, Hay que hacer un análisis de riesgos a cada no conformidad.... Mi respuesta En la nueva versión de la norma en vez de un único proceso de acciones preventivas unidireccional, el cual generalmente se llevaba a cabo a un nivel bajo de la organización y permanece allí, ahora existe un proceso de enfoque basado en riesgos presidido por el equipo que tiene toda la información disponible del negocio, que es la alta dirección. En ISO 9001:2015 la alta dirección de la organización está involucrada en el proceso de identificación, registro, eliminación, y mitigación del riesgo. En enfoque basado en riesgos por lo tanto puede considerarse un proceso más eficaz que las acciones preventivas de la antigua versión de la norma. Para más información, vea el siguiente artículo: "El enfoque basado en riesgos reemplazando las acciones preventivas en la ISO 9001:2015: los beneficios" https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/ nowledgebase/el-enfoque-basado-en-riesgos-reemplazando-las-acciones-preventivas-en-la-iso-90012015-los-beneficios/ En cuanto al análisis del riesgo no existen unos requisitos en la norma sobre cómo hacerlo. Puedes llevar a cabo mediante la forma más sencilla, que sería con una reunión del personal más relevante de la organización, o realizar un análisis DOFA, de debilidades, oportunidades, fortalezas y amenazas, y a partir de ahí determinar las acciones para abordar los riegos y oportunidades más relevantes. Para más información, vea el siguiente artículo (en inglés) "cómo abordar riesgos y oportunidades en ISO 9001": https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/# Estos materiales también le pueden ayudar con la implementación de ISO 9001: - Libro "Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Formación gratuita en línea: Curso de fundamentos ISO 9001 https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ - Conformio (herramienta gratuita en línea para ISO 9001): https://advisera.com/conformio/ -
SAAS type services
1. Internal processes. In our case we’re a small organization and the personal data of staff and new hires will only be processed by 1 administrative person or the direction itself. If we guide these in clear procedures, which only are a few, we should be ok here.
2. With our SAAS product we’re processing personal data on behalf of our customers. In here we need to make sure our application supports
a)The option to add extra statements and or references to our customers regulations regarding GDPR.
b)The ability to delete a persons data on request of the customer
c)The ability to anonymize data on request of the customer
d)Make sure we have decent processor agreements in place
Since we’re already having the ISO 27001 in place the security of the product has already been standardized and documented. Is there any reason, and if yes which, to use all the templates provided in the toolkit? Because as far as I can see the mo st effort will be a couple of application changes and an internal procedure.
We never use personal data for marketing purposed at all.
Answer:
From your description I understand that you are acting most of the time as processors by providing SAAS type services. This actually limits to a certain degree your EU GDPR related risks since some obligations are only applicable to controllers. For example, you don`t have to deal with Data Subject Access Requests if the requests comes form a data subject that you are not the controller to, however if a request would come from one of your employees you will have to address it.
The same goes for the data breaches, if the personal data affected by the breach is one if your controllers than you need to notify the controller and not the Supervisory Authority or the affected data subjects. However, if the breach affects personal data of your employee then the data breach notification obligations will fall on you.
Another good example is the compliance the requirements of EU GDPR article 30 (https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/) which are applicable to both controller and processors.
So, unless a thorough analyze of your activities is performed we cannot advise you to discard any of the documents I the toolkit. -
Inventory of processing activities and retention schedule
Answer:
Inventory of processing activities need to be filled in by the companies themselves, there are no “most used processing activities” since these are closely linked to the business. For example a call center processing activities will be different than the ones form a recruitment company. This is why we provided in the EU GDPR toolkit the ”Guidelines of Processing Activities Inventory” that will explain how you could tackle this task.
As for the Retention Schedule is somehow the same story especially for certain types of records for which retention period is established by local legal requirements for example the retention period for CCTV footage is different between various Member States the same goes for payroll related documents as well. -
Data retention policy
Answer:
The EU GDPR states that personal data should not be kept for longer than necessary (https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/) thus all records of personal data need to be deleted at some point when no longer needed for a specific activity.
The documents listed in the Data Retention Policy are one of the most common records where personal data can be found, you can delete or add records based on your own business activity. Remember that the retention refers only to personal data thus records that do not contain personal data are not in scope of the policy or the GDPR. -
Quality Manual in IATF 16949
Answer:
IATF 16949 defines additional requirements to ISO 9001 specific for the automotive industry. ISO 9001 doesn't mention the manual, but IATF 16949 requires the Quality manual that will follow the structure of the standard, so it does not only requires organizations to have the manual but it also defines how it should be structured.
For more information, see: How to write the IATF 16949 Quality Manual https://advisera.com/16949academy/blog/2017/05/31/how-to-write-the-iatf-16949-quality-manual/