Overview
The 5-day Lead Auditor training course aims to provide participants with the knowledge, and develop the skills and expertise necessary to:
-
Audit a Quality Management System (QMS) based on ISO 9001:2015
-
Ensure that the organization is competent in maintaining and continually improving its QMS
-
Perform third party audits by applying widely recognized audit principles, procedures and techniques
-
Proficiently plan and perform internal and external audits in compliance with ISO 19011 and the certification process according to ISO 17021.
-
Manage audit teams and audit programmes, communicate with customers, resolve conflicts, etc.
Based on practical exercises, the participants will master the audit tools and techniques.
ISO 13485: 2016
Lead Auditor
First time you visit our website?
Empower Your Team with Industry-Leading Training Programs
Tailored corporate training for leadership, technical skills and professional development
-
We serve corporate clients investing in peoples' knowledge, skills, and competencies, to improve business performance, enhance process, product and service quality, and achieve sustained growth and profitability.
-
We understand the meaning of the business terms "Voice of the Customer" and what constitutes "value" from the customer's point of view.
-
We also understand the difference between "value" and "waste" from the business and individual learner point of view.
-
-
We care about the people, the knowledge enhancement of which is entrusted to us by their organisation or themselves.
-
We focus on learning (not just on training, and issuing certificates) and providing post-training advice and support through workshops and consulting services.
Stratos Lazaridis
CEO The Marvel Academy
Corporate Training Solutions
Mob: +44 (0)749 114 7156
Contents
-
Definitions
- Personal data
- Data processing
- Data protection
- Data Controller
- Data Processor
- Data Subject
-
GDPR at a glance
-
Overview
-
The Aim
-
What is superseded by GDPR
-
ICO, the UK GDPR Regulator
-
Controllers and Processors of personal data
-
Six lawful purposes for personal data processing
-
Rights of data subjects
-
Data breaches and fines
-
GDPR is binding and applicable
-
Does GDPR applies to me?
General Data Protection Regulation (GDPR)
Definitions
Personal data means information about a particular living individual.
-
This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public
official or member of the public.
Personal data:
-
Does not need to be ‘private’ information. Even information which is public knowledge or is about someone’s professional
-
life can be personal data.
-
Does not cover truly anonymous information , but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.
Only includes paper records if you plan to put them on a computer (or other digital device) or file them in an organised way. If you are a public authority:
-
All paper records are technically included
-
You will be exempt from most of the usual data protection rules for unfiled papers and notes.
Data processing
Almost anything you do with data counts as processing. This includes collecting, recording, storing, using, analysing, combining, disclosing or deleting it.
Data protection is:
-
The fair and proper use of information about people
-
Part of the fundamental right to privacy, but on a more practical level
-
Essential to innovation.
It is about:
-
Building trust between individual people and organisations
-
Treating people fairly and openly, recognising their right to have control over their own identity and their interactions with
others, and striking a balance with the wider interests of society.
-
Removing unnecessary barriers to trade and co-operation.
Data protection exists in part because of international treaties for common standards, that enable the free flow of data across borders.
-
The UK has been actively involved in developing these standards
-
Its data protection regime is set out in the DPA 2018 and the UK GDPR.
Good practice in data protection is vital to ensure public trust in, engagement with, and support for, innovative uses of data in both the public and private sectors.
Data Controller
A controller is the person that decides how and why to collect and use the data.
-
This will usually be an organisation, but can be an individual (eg a sole trader).
If you are an employee acting on behalf of your employer, the employer would be the controller.
The controller must make sure that the processing of that data complies with data protection law.
Data Processor
A processor is a separate person or organisation (not an employee) who processes data:
-
On behalf of the controller
-
In accordance with their instructions.
Processors have some direct legal obligations, but these are more limited than the controller’s obligations.
Data Subject
Technical term for the individual whom particular personal data is about. In this guide we generally use the term ‘individuals’ instead.
Overview
GDPR is a EU regulation on the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive).
The General Data Protection Regulation (EU) 2016/679 (GDPR):
-
Was introduced by the European Parliament and Council of the European Union in April 2016
-
Was implemented, and became EU law, on May 25, 2018
-
Is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA)
-
Addresses the transfer of personal data outside the EU and EEA areas.
The Aim
The GDPR's primary aim is to:
-
Give individuals control over their personal data
-
Simplify the regulatory environment for international business by unifying the regulation within the EU.
What is superceded by GDPR
Superseding the Data Protection Directive 95/46/EC, the regulation:
-
Contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA
-
Applies to any enterprise, regardless of its location and the data subjects' citizenship or residence, that is processing the personal information of individuals inside the EEA.
GDPR at a glance
-
Data protection is about ensuring people can trust you to use their data fairly and responsibly.
-
If you collect information about individuals, for any reason, other than your own personal, family or household purposes, you need to comply.
-
The UK data protection regime is set out in the DPA 2018, along with the UK GDPR.
-
It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.
-
ICO, the UK GDPR Regulator
The ICO (Information Commissioner's Office) is the UK’s independent authority, set up to:
-
Uphold information rights in the public interest
-
Promote openness by public bodies
-
Promote data privacy for individuals.
The ICO:
-
Offers advice and guidance
-
Promote good data protection practice
-
Carries out audits
-
Considers complaints related to data protection
-
Monitor compliance to GDPR
-
Takes enforcement action where appropriate.
Controllers and Processors of personal data
Controllers and processors must put in place appropriate technical and organizational measures to implement the data protection principles.
Business processes that handle personal data must:
-
Be designed and built with consideration of the principles and provide safeguards to protect data
-
Example: by using pseudonymization or full anonymization where appropriate.
Data controllers must design information systems with privacy in mind.
-
Example: using the highest-possible privacy settings by default, so that the datasets are not publicly available by default and cannot be used to identify a subject.
Six lawful purposes for personal data processing
No personal data may be processed, unless this processing is done under at least one of the six lawful bases specified by the regulation, i.e., consent, contract, public task, vital interest, legitimate interest, or legal requirement.
More specifically:
-
The data subject has given consent to the processing of his/ her personal data
-
To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
-
To comply with a data controller's legal obligations;
-
To protect the vital interests of a data subject or another individual;
-
To perform a task in the public interest or in official authority;
-
For the legitimate interests of a data controller or a third party
-
Unless these interests are overridden by interests of the data subject or his/ her rights according to the Charter of Fundamental Rights (especially in the case of children).
-
When the processing is based on consent, the data subject has the right to revoke it at any time.
Data controllers must:
-
Clearly disclose any data collection
-
Declare the lawful basis and purpose for data processing
-
State how long data is being retained and if it is being shared with any third parties or outside of the EEA.
Firms:
-
Are obligated to protect data of employees and consumers to the degree where only the necessary data is extracted with minimum interference with data privacy from employees, consumers, or third parties.
-
Should have internal controls and regulations for various departments such as audit, internal controls, and operations.
Rights of data subjects
Data subjects have the right to:
-
Request a portable copy of the data collected by a controller in a common format
-
Have their data erased under certain circumstances.
Public authorities, and businesses whose core activities consist of regular or systematic processing of personal data, are required to employ a data protection officer (DPO), responsible for managing compliance with the GDPR.
Data breaches and fines
Businesses must report data breaches to national supervisory authorities within 72 hours, if they have an adverse effect on user privacy.
In some cases, violators of the GDPR may be fined up to:
-
€20 million or
-
4% of the annual worldwide turnover of the preceding financial year in case of an enterprise whichever is greater.
British Airways fine for 2018 data breach reduced to £20 million
GDPR is binding and applicable
As the GDPR is a regulation, not a directive:
-
It is directly binding and applicable
-
Does provide flexibility for certain aspects of the regulation to be adjusted by individual member states.
The regulation became a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina, and Kenya. Also, the California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.
Does GDPR apply to me?
Yes, if you have information about people for any business or other non-household purpose.
-
The law applies to any ‘processing of personal data’, and will catch most businesses and organisations, whatever their size.
You do not need to comply if you only use the information for your own personal, family or household purposes
-
Examples: using personal data for personal, social media activity, private letters and emails, or use of your own household gadgets.
