Cooperation between Quality Management and Data Protection: Sensitive Issue of Personal Data

Data protection is playing an increasingly important role in the operational practice of institutions. A milestone here was the introduction of the EU General Data Protection Regulation (GDPR) in May 2016, whose regulations came into force in May 2018. Since then, it has been important to avoid even more pitfalls in this area.

Quality management and data protection must therefore work even more closely together. Personal data in particular should be collected, processed and stored in such a way that institutions do not offer any scope for attack. The regulations of the GDPR place particular emphasis on this. For this reason, it is essential to have an auditable system for the management of data.

Requirements for proper handling of personal data

In particular, the system must meet the following six requirements for handling personal data:

• The data is collected for clear, well-defined and legitimate purposes.
• The data collected is processed transparently and fairly in accordance with legal requirements.
• The data set collected is adequate for the intended purpose and is further processed in accordance with the principle of data economy.
• The data collected should be correct and up to date. Incorrect data will be corrected or deleted immediately.
• The data shall be stored in a manner that allows identification of data subjects only within a strictly limited time frame. The time period must not be longer than is strictly necessary for the intended purposes.
• The data shall be processed in a manner that ensures that confidentiality, integrity and appropriate security are guaranteed.

Interlocking appropriate standards

The British data protection standard BS 10012 has proven itself in practice as a reference standard for ensuring high quality in the handling of sensitive data. Due to existing similarities with quality management according to ISO 9001, the standard can be integrated very well into the processes of an institution that is certified according to ISO. It is important to remember that data protection has become an essential quality feature of an institution. Therefore, quality management processes should definitely be aligned with proven data protection standards. By integrating an existing data management system, an organisation avoids unnecessary additional work. In addition, this merging increases security and facilitates processes within the organisation. For several reasons, it is advisable to use the BS 10012 standard for data protection in an ISO 9001 certification and to integrate the systems with each other.

• Both systems impose obligations on management. In both BS 10012 and ISO 9001, the people at the top of the institution are responsible for ensuring that the requirements of each standard are met. Leaders must encourage their managerial staff to implement, monitor and control the systems.
• In both cases, process orientation is present. By orienting itself to ISO 9001, an institution places a greater focus on the processes within the organisation. Therefore, quality management already provides a good basis for introducing a management system for data protection. Other similarities between data protection and quality management exist. The quality of products or services is significantly influenced by how data is obtained and used. Especially in the case of data relating to persons, the quality requirements are very high. For this reason, possible or existing risks already flow into the quality management process.
• Information is documented. For the requirements of BS 10012 in terms of responsibilities, processes and information obligations, some documents of the QMS can be used. A solid basis has been laid for the further preparation of the data protection documentation.
• Quality Manager and Data Protection Officer. Quality managers are very well suited for the position of data protection officer. They already have a sound insight into procedures, processes and topics related to data protection. They can also benefit from this knowledge as data protection officers. For this reason, it is a good idea for institutions to appoint both positions to one person. If this is not possible, at least a very close cooperation between the data protection officer and the quality manager is advisable. This should lead to an intensive exchange of knowledge and experience.
• Improvement as a continuous task. Both quality management and data protection are required to continue to develop and improve. Regular internal audits should serve as a tool to ensure that this requirement is also met. This leads to the institution reviewing and questioning itself. The path towards permanent improvement is being taken.