Search results

Data Subject Access Request

The right to access is a fundamental right of the data subject. As stated in Article 15 GDPR - Right of access by the data subject – paragraph 3: “The controller shall provide a copy of the personal data undergoing processing”. However, paragraph 4 states that “The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others”. So you should redact out personal data of other data subjects (including usernames, pseudonyms, etc), intellectual-property protected data, and confidential data (including customer names, customer financial info, discounts, financial offerings, invoices, contracts, etc).

Advisera’s EU GDPR Premium Toolkit might help you in this endeavor because part of the toolkit we have a template for a Data Subject Access Request Procedure as well as templates for disclosure forms.

Please visit these links for more details:

• Article 15 GDPR: https://advisera.com/eugdpracademy/gdpr/right-of-access-by-the-data-subject/
  How to handle data subject access requests: https://advisera.com/eugdpracademy/blog/2021/03/04/how-to-handle-data-subject-access-requests/
• EU GDPR Data Subject Access Request Flowchart: https://info.advisera.com/eugdpracademy/free-download/eu-gdpr-data-subject-access-request-flowchart
• EU GDPR PREMIUM DOCUMENTATION TOOLKIT: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

Production Part Approval Process

It can fit in the Design and development process, but also in the verification of supplied products. 

Single Registration Number for MDR

Single registration number is a number that each business entity has to get from the EUDAMED or local competent authority. A single registration number has to be asked for a manufacturer, importer, and EU representative. Distributors do not need to be registered in the EUDAMED. It is covered in Article 31 of the MDR 2017/745. 

For more information, see:

• EU MDR Article 31 – Registration of manufacturers, authorized representatives and importers - https://advisera.com/13485academy/mdr/registration-of-manufacturers-authorised-representatives-and-importers/

Considering the codes, there are specified codes for medical devices. MDR has a code that is called European medical device nomenclature covered in Article 26 of the MDR. More details regarding this nomenclature you can find on the following links:

• European Medical Device Nomenclature (EMDN) https://webgate.ec.europa.eu/dyna2/emdn/A

• MDCG 2021-12 FAQ on the European Medical Device Nomenclature (EMDN) - https://ec.europa.eu/health/system/files/2021-06/md_2021-12_en_0.pdf
• EU MDR Article 26 – Medical devices nomenclature - https://advisera.com/13485academy/mdr/medical-devices-nomenclature/

• New implementation: ISO 27001:2013 + ISO 27002:2022

  This will depend on the date you want to be certified. In case you want to be certified before March 2023 - go with 2013 revision, after March 2023 go with 2022 revision.

  Please note that after the release of the new version of ISO 27001, any required changes will have a transition period to be implemented (in general this transition period is of two years after a change in a management system standard is released, which is plenty of time to do this transition for most controls).

  For further information, see:
  - 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/ 
  - Should you start implementing ISO 27001 2013 or 2022 revision? https://advisera.com/insight/chatbot-implement-iso-27001-2013-or-2022-revision/

• Failed Change

  Incidents (based on failed change) should be recorded as incidents. Since you know that incidents are caused by poorly implemented change – I assume you know the root cause. If not, resolve the incident and open a problem to find out the root cause. And eliminate it.

   

  PIR should analyze the whole case to learn why did this happen and what to do not to repeat it. Improvement or corrective action should follow up.

   

  Number of incidents based on the implemented change is a good KPI for the process (efficiency).

   

  See the article „Post Implementation Review – Buzzword, or mighty tool?“ https://advisera.com/20000academy/blog/2015/02/03/post-implementation-review-buzzword-or-mighty-tool/ to give you few ideas related to PIR.

• Detailed explanation of 11 new security controls in ISO 27001:2022

  Only controls from ISO 27001 Annex A may be excluded. All requirements from clauses 4 to 10 are mandatory if you want to be compliant with ISO 27001.

  For further information, see:

  • Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001

• ISO/IEC 17025 Certificate duration

  ISO 17025 accreditation is valid for the length of the specified accreditation cycles. This period varies depending on the accreditation body and sector. The accreditation bodies must comply with the ILAC (International Laboratory Accreditation Cooperation) policy that accreditation cycles must not be longer than 5 years. Typically, this period is four years for some laboratories, but for others, it can be as short as two years or the maximum five years. Accreditation cycles begin at the date of the decision for granting assessment. After that date, accreditation bodies perform surveillance assessments to continually monitored the competency and compliance of the laboratory. A full reasseement must be scheduled, and accreditation granted before the expiry date of the certificates.

  For specific information for your laboratory, I advise you to contact the accreditation body you will use for assessment. This information should be available on their websites, as it is policy-driven.

  For more information have a look at the webinar What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar/

• ISMS 27001 processes

  1- I am in the process of setting up the ISMS with your tool kit. What I miss (or haven't found) the processes (structure) for change management or patch management.

  To be compliant with ISO 27001 you only need a Change Management Policy, which can be found in folder 08 Annex A Security Controls >> A.12 Operations Security

  For an optional more robust documentation (this is not required for ISO 27001), please take a look at this toolkit:

  • ITSM Change Management Toolkit https://advisera.com/20000academy/itsm-change-management-toolkit/

  It is designed for compliance with ISO 20000, but can be adjusted to be used with ISO 27001. IT covers the following documents:

  • Request for Change and Change Record- Minutes of Meeting CAB
  • Change Schedule
  • Change Management Process
  • Change Management Policy

  For further information, see:

  • An overview of the ITIL Change Management Process [free webinar on demand] https://advisera.com/20000academy/webinar/an-overview-of-the-itil-change-management-process-free-webinar-on-demand/
  • How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  2 - As well as the subdivision into management, core and support processes. This is required for the process landscape.

  Regarding processes classification, ISO 27001 does not require processes to be mapped. It is not generally required for the toolkit implementation (for that you only need to implement the documentation in the order they are presented in the toolkit’s folders).

  In a general manner, you can consider this classification:

  • management processes: management review
  • core processes: risk management, security operations, processes monitoring
  • supporting processes: document and record management, internal audit

  • Design and Development Agreement

    Do you have a template for "Design and Development Agreement". I mean for outsourced process?