How an IT VAR can evaluate the impact of GDPR on its ISO 9001 QMS.


How is GDPR going to affect your ISO 9001 QMS ?
Here  the experience of a  quality coordinator working in the ICT Channel:  my experience.

Regulatory requirements in the ISO 9001:2015 norm.
In the ISO 9001:2015 (the norm),   the regulatory requirements are considered
external issues (Fig 1).

Fig 1 – Regulatory requirements as external issues

The quality coordinator has to support the management  to evaluate the impact of the regulatory requirements on the quality management system (QMS)  of the organization.
The norm also says that this evaluation should happen in the planning phase and the impact should be evaluated as a risk (Fig 2).

Fig 2 – Plan the impact of Regulatory requirements

The norm does not impose any specific method and/or technique to evaluate this risk.  So, between the date of publication of the regulatory requirements and its entry into force date (25/05/2018 for the GDPR), there is quite flexibility to decide when to start the impact analysis.
In my case, this  flexibility is over when in LinkedIn a new post appears every day  that speaks about the GDPR impact on the business; it Is only a question of days that my boss will call me in his office.

Analysis of the GDPR:   my particular prospective.
It’s time to study the GDPR .  I like to start from the recitals. They are closer to plain English then articles  and  they are not classified in chapters.
In this way,  I am free to classify the recitals to reflect their impact on the QMS of my organization.  The quality coordinator is not a jurist that has to study a law very deeply as he must then apply it to different circumstances;  the quality coordinator has to study enough the law to understand the impact on his own organization:  in my case, an IT VAR Company, similar to BIT.
Moreover, the possibility to build categories  makes the study of a law less boring (I still need anyway several coups of good ‘espresso’ to finish the job).
Finally, the study of the recitals allows  me then to go quicker in the study of the articles; it took me about 4 hours to read the recitals and about 1 hour to read the articles.  I like also to note the terms of the laws  that I found particular important.
So, in about one day of job  I had ready a flexible and personalised tool  to help me to evaluate the impact of GDPR on the processes and procedures of my Company.

Risk Evaluation of GDPR on the local QMS.
The QMS of my Company is part of an ISO 9001:2008 Matrix certification.
This means that centralized  processes are certified at group level.
We are currently in full transition to the 2015 version; the group quality coordinator has not yet communicated how he will  implement the risk analysis in the  Matrix QMS but this should not  stop the local quality coordinator to evaluate the impact of the GDPR on the local processes and procedures (Fig 3).

Fig 3 – Risk evaluation of GDPR

I am ready to propose  the method to “filter” the processes and procedures that are impacted by GDPR (Fig 4)

Fig. 4 – My method to identify the impacted process.

The next step is to evaluate the risk of GDPR on the impacted processe and procedures together with a possible countermeasures (Fig 5)

Fig 5 – risk analysis of GDPR at tactical and operational level

I am ready now to be called in the office of my boss.  If he likes this approach, I will then present it to the group quality coordinator (to verify that it is does not  violate the governance that he is planning for risk analysis of regulatory requirements) and, if I survive, I will then present it to the owner of the procedures and of the processes.
The proposed countermeasures are, of course, just a base of discussion to agree with them improvement actions that will be then reported in the general improvement plan.

What is your approach to evaluate the impact of GDPR on your QMS?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s