SGCMF©10002:2013 LEVELS 2-3 | AUDITOR, DATABASE & PRIVACY MANAGEMENT

16 hour course + progress test

THE TRAINING COURSE
The objective of the SGCMF©10002:2013 standard is the protection, the availability and the assessment of the precision of the personal information of subjects authorised to prescribe drugs and which is collected and managed for corporate uses linked to marketing drugs.
Carrying out a proper and exhaustive internal auditing activity allows organisations to establish effective monitoring of corporate processes in order to maintain the control of privacy compliance in relation to the management of medical archives.
The delicate transition period linked to approval of the European regulation (EU GDPR 2016/679) requires an appropriate assessment of the implementation of internal processes that can enable companies to be fully compliant and have efficient control sustems by 25 May, 2018.

OBJECTIVES
The course aims to study in depth the techniques and logic for an internal audit – using the correct view of the regulations on data protection – of Database Management Systems that contain information on medical and hospital appointments, providing the skills needed for a correct assessment of risk relative to processing information.
The objective of the 2nd level of the Auditor, Database & Privacy Management course is to analyse the main sector critical aspects, starting with a study of real cases and the most important cases as well as studying the most recurrent non-conformities and providing a complete understanding of the techniques of internal auditing.
The course will also allow operators to learn skills useful in managing the transition from the current regulation to the application of EU Regulation GDPR 2016/679 with a particular focus on the principle of the Accountability of the Data Controller, who is held to demonstrate that tasks are carried out using proper, tangible, robust, and transparent methods that respect the individual him/herself and his/her dignity.

TARGET AUDIENCE

  • Compliance/Legal Managers
  • Data Protection Officers
  • Data Processors of personal data
  • CRM Managers/SFE Managers

MINIMUM REQUIREMENTS

  • Participation on the Auditor, Database & Privacy Management course – Level 1
  • Basic knowledge of Italian Legislative Decree 196/2003 and Italian Legislative Decree 219/2006

REGULATIONS OF REFERENCE

  • SGCMF 10002:2013
  • Italian Legislative Decree 196/2003
  • Italian Legislative Decree 219/2006
  • UNI CEI EN ISO/IEC 17065
  • UNI EN ISO 19011_2012
  • UNI EN ISO 9001_2008

TEACHING
The course is given by teachers with specific experience in management systems, processes and procedures related to processing data held in corporate databases in compliance with the statutory requirements of existing Data Protection regulations

TEACHING MATERIAL
Teaching notebook containing:

  • The Authority’s provisions affecting the area of reference (pharma)
  • Slides shown during the course

MODULE 2

THE PROGRAMME

9:00-9:30 – Registration and Coffee

9:30-13:00

The Internal Auditor's task: where we left off and the objectives for module 2

  • The new European Regulation coming into force
  • Transition from the provisions of Italian Legislative Decree 196/2003 to those of EU Regulation 2016/679

SGCMF©10002:2013 certification scheme

  • Database audit process: operational checks
    • Data precision and updates
    • Uniqueness
    • Relevance and non-excessiveness
    • Minimisation

13:00: Light Lunch

14:00-18:00

  • System audit on corporate policies and procedures
    • Appendix A of SGCMF©10002:2013 scheme
    • The Data Controller's responsibilities and designing processing
    • Managing medical archives for detailing activities
    • Processing security measures
    • Requests for access, correction and deletion
    • Training

Guidelines for conducting a Management System Audit (UNI EN ISO 19011)


18:00 Close

MODULE 3

THE PROGRAMME

9:00-9:30 – Registration and Coffee

9:30-13:00

The certification process in companies

Audit assessments: level of Non-Conformity

  • Data Non-Conformity
  • Minimising collection
  • Privacy by default and by design
  • Management awareness
  • Training and education of employees
  • Intellectual property and ownership
  • Dealings with third parties
  • Assessment of the risks of processing data
  • Impact assessment for profiling
  • Procedures to issue information notices and collect consent
  • Right to know – Need to reply
  • Notification and transfer of data overseas
  • Processing security measures

13:00: Light Lunch

14:00-16:30

Corrective actions and practical applications

Case studies 

16:30-17:30

Final Test (multiple choice answers and practical cases)

18:00 Close