How is GDPR going to affect your ISO 9001 QMS ?
Here the experience of a quality coordinator working in the ICT Channel: my experience.
Regulatory requirements in the ISO 9001:2015 norm.
In the ISO 9001:2015 (the norm), the regulatory requirements are considered
external issues (Fig 1).
The quality coordinator has to support the management to evaluate the impact of the regulatory requirements on the quality management system (QMS) of the organization.
The norm also says that this evaluation should happen in the planning phase and the impact should be evaluated as a risk (Fig 2).
The norm does not impose any specific method and/or technique to evaluate this risk. So, between the date of publication of the regulatory requirements and its entry into force date (25/05/2018 for the GDPR), there is quite flexibility to decide when to start the impact analysis.
In my case, this flexibility is over when in LinkedIn a new post appears every day that speaks about the GDPR impact on the business; it Is only a question of days that my boss will call me in his office.
Analysis of the GDPR: my particular prospective.
It’s time to study the GDPR . I like to start from the recitals. They are closer to plain English then articles and they are not classified in chapters.
In this way, I am free to classify the recitals to reflect their impact on the QMS of my organization. The quality coordinator is not a jurist that has to study a law very deeply as he must then apply it to different circumstances; the quality coordinator has to study enough the law to understand the impact on his own organization: in my case, an IT VAR Company, similar to BIT.
Moreover, the possibility to build categories makes the study of a law less boring (I still need anyway several coups of good ‘espresso’ to finish the job).
Finally, the study of the recitals allows me then to go quicker in the study of the articles; it took me about 4 hours to read the recitals and about 1 hour to read the articles. I like also to note the terms of the laws that I found particular important.
So, in about one day of job I had ready a flexible and personalised tool to help me to evaluate the impact of GDPR on the processes and procedures of my Company.
Risk Evaluation of GDPR on the local QMS.
The QMS of my Company is part of an ISO 9001:2008 Matrix certification.
This means that centralized processes are certified at group level.
We are currently in full transition to the 2015 version; the group quality coordinator has not yet communicated how he will implement the risk analysis in the Matrix QMS but this should not stop the local quality coordinator to evaluate the impact of the GDPR on the local processes and procedures (Fig 3).
I am ready to propose the method to “filter” the processes and procedures that are impacted by GDPR (Fig 4)
The next step is to evaluate the risk of GDPR on the impacted processe and procedures together with a possible countermeasures (Fig 5)
I am ready now to be called in the office of my boss. If he likes this approach, I will then present it to the group quality coordinator (to verify that it is does not violate the governance that he is planning for risk analysis of regulatory requirements) and, if I survive, I will then present it to the owner of the procedures and of the processes.
The proposed countermeasures are, of course, just a base of discussion to agree with them improvement actions that will be then reported in the general improvement plan.
What is your approach to evaluate the impact of GDPR on your QMS?