How Can ISO 27001 Support GDPR Compliance?

“ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS).”

The GDPR encourages organisations to use certification schemes like ISO 27001 to ensure best data security practice.  ISO 27001 is the best choice since it is the only auditable international standard that defines the requirements of an information security management system (ISMS).  ISO 27001 is a comprehensive package that covers the three threats to information security: people, processes and technology.  Implementing ISO 27001 will enable you to constantly monitor and improve performance, and continually identify, minimise and eliminate internal and external risks to your organisation’s data.

How does ISO 27001 meet GDPR requirements?

Article 32 states:

‘…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.’

1. ‘The pseudonymisation and encryption of personal data.’

“…the standard helps organisations to identify what data to select for encryption.”

ISO 27001 identifies data encryption as a way of reducing security risks.  Through a risk assessment, the standard helps organisations to identify what data to select for encryption.  At the heart of ISO 27001 is the ‘confidentiality, integrity and availability of data’.   Simply encrypting all data goes against these values as it might impede access for those who need it to perform their jobs.

2. ‘The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.’

“ISO 27001 states that organisations must take steps to assure the confidentiality, availability and integrity of data…”

ISO 27001 states that organisations must take steps to assure the confidentiality, availability and integrity of data by carrying out a thorough risk assessment to identify threats to personal data security.  Steps must then be taken to minimise or eliminate those threats.

3. ‘The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.’

ISO 27001 covers business continuity management.  The standard provides a set of procedures that will help an organisation to protect vital data processing activities in case of a serious incident.

4. ‘A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.’

“ISO 27001 continually provides proof of best practices in line with GDPR compliance.”

ISO 27001 certified organisations receive regular audits from their accredited certification body to ensure that their ISMS continually meets the standard.  Therefore, ISO 27001 continually provides proof of best practices in line with GDPR compliance.

What are the other benefits of ISO 27001 certification?

ISO 27001 brings organisational advantages that reach beyond GDPR compliance, including:

  • Peace of mind for your clients, employees and stakeholders.
  • Allows for secure exchange of information.
  • Provides you with a competitive advantage over companies who are not ISO 27001 accredited.
  • Helps meet ISO 9001 requirements by identifying and managing data security as an ‘external threat’.
  • Helps you comply with other regulations, e.g. the US Sarbanes-Oxley Act (SOX).

What steps does my organisation need to take to implement ISO 27001?

1. Perform a gap analysis

This will reveal the differences between your current information security processes and ISO 27001 requirements.  It helps you to identify the actions you need to take, and resources required to close the gap.

2. Write an ISMS Scope

Examine what sort of security threats you face from outside your organisation.

Consider:

  • Where are the threats coming from?
  • Who might want to compromise our information?
  • What kinds of techniques might they use?

Once you understand this then write an ISMS scope.  If you start with a small scope, you can implement an ISMS quickly and then build up your strategy from there.

3. Information security policy

An information security policy is key to ensuring that your management understand your strategy and its benefits.

4. Management approval

The most effective way to convince management of the value of an ISMS based on ISO 27001 is to demonstrate how it will reduce their costs.  Costs can be reduced by a better understanding of business processes as this sometimes reveals opportunities for savings. ISO 27001 also brings with it customer confidence, which will increase sales.  Security breaches can also incur heavy fines under the GDPR.

5. Conduct a risk assessment

Plan how you are going to assess risks and identify what your most significant risks are.

6. Create a Risk Treatment Plan (RTP)

Once you have identified the risks, you can design a risk treatment plan.  A RTP is a way of setting out which risks can be reduced or managed and what actions you will take to do this.

7. Risk measures

Once you have identified your risks and decided what actions to take, look at Annex A of ISO 27001.  This lists 114 different security controls.  It seems overwhelming, but you don’t need to take all these measures – just select which ones are best for your organisation’s needs.

The importance of performing an internal audit

“An internal auditor has a vital role in reporting to senior management on how the ISMS is performing. “

Now that your controls are in place you need to carry out an internal audit.   This means that another person within your organisation, or from outside your organisation, will carry out an independent review of your ISMS.

An internal auditor has a vital role in reporting to senior management on how the ISMS is performing.  They need to continually monitor the effectiveness of ISMS so that senior managers can determine whether the ISMS’s objectives are consistent with the organisation’s business objectives.

The audit must be carried out by somebody who has relevant expertise but has not been involved with any of the work you have carried out.  Senior managers and HR managers are well placed for the role since they are used to ensuring that policies are kept up-to-date and they understand the requirements of the GDPR.  They can be trained as internal auditors by taking an ISO27001 Internal Auditor Training Course.

Contact us for more information on how ISO 27001 can benefit your organisation, and for support with implementation, audits and training.

 

 

 

Why Has the GDPR Introduced ‘Privacy by Design’ and ‘Privacy by Default’?

‘Privacy by Design’ and ‘Privacy by Default’ are not new concepts.  The right to privacy is a fundamental aspect of the European Convention on Human Rights and is already at the heart of all ethical organisations.  However, the GDPR is the first European data protection legislation to explicitly recognise these rules.

What is ‘privacy by design’?

“Organisations must design policies, procedures and information systems that make the protection of data subjects’ privacy central to their company ethos.”

Under the GDPR, organisations are legally required to embed data subjects’ privacy rights into every aspect of their business operations.  Through a ‘privacy policy’ data subjects must be made fully aware of their privacy rights and how to complain if they believe their data is being misused. Organisations must design policies, procedures and information systems that make the protection of data subjects’ privacy central to their company ethos.

Organisations must consider privacy at the initial stages and throughout the development of a new product, process or service that involves processing personal data.   The embedding of data privacy features into the design of projects can have the following benefits:

  • potential problems are identified at an early stage making them less costly and easier to resolve
  • increased awareness of privacy and data protection across the organization means less likelihood of breaching the GDPR
  • the organisations’ actions are less likely to be intrusive and have a negative impact on data subjects

What is ‘privacy by default’?

“Under the GDPR organisations can only process personal data that is necessary for their intended purpose and must not store it longer than is necessary for this purpose.”

‘Privacy by default’ means that organisations must implement technical and organisational measures that, by default, ensure only personal data that is necessary for a specific purpose is processed.  Minimising the amount of data collected reduces the risk of privacy breaches.  Under the GDPR organisations can only process personal data that is necessary for their intended purpose and must not store it longer than is necessary for this purpose.

In addition, when an IT system includes choices for the data subject on how much personal data they share and with whom, the default settings should be privacy friendly.

What technical and organisational measures should be taken to protect privacy?

“…organisations need to consider the nature, scope, purposes and context of their data processing.”

When deciding what technical and organisational measures make the best investment, organisations need to consider the nature, scope, purposes and context of their data processing.  They need to weigh up the risks to individuals’ rights and freedoms should a data breach occur and consider how personal data can be pseudonymised.  As well as this, thought must be given to the ways in which systems meet other GDPR requirements.  For instance, can:

  • personal data be collated with ease in order to comply with subject access requests?
  • data be suppressed when customers have opted out of direct marketing communications?
  • the data controller satisfy the GDPR data portability requirements?

What steps can your organisation take to meet the GDPR’s ‘privacy by design’ and ‘privacy by default’ rules?

  1. Put in place an automated deletion process for particular personal data with a system that flags up when data should be deleted.
  2. Make sure excessive data isn’t collected by revising data collection forms.
  3. Revise contracts between yourself and the data processors you work with so that everybody understands how liability will be apportioned should a privacy breach occur.
  4. Design a Privacy Impact Assessment (PIA) template that can be used every time the organisation implements a new system.

What is a Privacy Impact Assessment (PIA)?

“PIAs help organisations to identify, assess and minimise privacy risks when processing data.”

PIAs are an integral part of taking a ‘privacy by design’ approach.  They help organisations to identify, assess and minimise privacy risks when processing data.  Carrying out a PIA helps an organisation to comply with the ‘accountability’ principle of the GDPR.

When should a PIA be conducted?

“PIA’s must be conducted where data processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’.”

The GDPR states that PIA’s must be conducted where data processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’.  The GDPR identifies specific high-risk activities in Article 35:

  • ‘A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.’
  • ‘Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.’
  • ‘Systematic monitoring of a publicly accessible area on a large scale’.

The best time to conduct a PIA is at the very start of a project, so that its findings can be incorporated into the design of the processing operation.

Does your organisation need advice to meet GDPR requirements?

“…specialists can customise PIAs to suit your organisation’s needs.”

IT specialists and consultants can support you in meeting the GDPR’s ‘privacy by design’ and ‘privacy by default’ requirements as well as in conducting PIAs.  For example, by using software assisted processes specialists can customise PIAs to suit your organisation’s needs.  Benefits might include:

  • highly efficient PIA processes supported by specialist software
  • customised, automised reports which give a clear overview of processes, risks and progress
  • real-time track records of the actions taken to minimise risks
  • evidence of the accountability required by the GDPR.
  • baseline criteria to benchmark operations from an employee or client perspective.

What’s not to like?

By making ‘Privacy by Design’ and ‘Privacy by Default’ mandatory, the GDPR gives greater privacy protection to data subjects.  By meeting legal obligations, organisations build trust in their clients – and that’s fundamental to business success!

Is your organisation GDPR ready? Visit www.ndcmanagement.co.uk/GDPR-support to find out how NDC Global Auditors can help you prepare.

NDC Global Auditors Brings Training Services to Wiltshire

It’s been a busy and exciting start to the year for us here at NDC Global Auditors. In February, we moved from our Swindon offices to Trowbridge, where we have set up a Wiltshire Training Academy. Businesses across Wiltshire can now access a wide range of open access training courses that will help them to stay legally compliant.

Helping You to Achieve ISO and GDPR Compliance

Businesses are increasingly under pressure to demonstrate legal compliance in areas such as quality, information security, environmental management, and health and safety. Achieving ISO certification allows businesses to demonstrate best practice and strive for continual improvement. More and more organisations are recognising this, and the need to put systems and training in place to protect their business. In response to this growing need, NDC has expanded its service offering to help businesses achieve their goals across all core areas of legal compliance.

What’s New?

Open Access Courses

In addition to our on-site consultancy and training services, we now offer a full range of open access training courses at our Wiltshire Training Academy, and at the Pilgrims Academy in Redhill, Surrey.

Our courses cover all aspects of compliance in relation to:

  • Information security
  • Health, Safety, Fire and First Aid
  • Environmental Management
  • ISO Standards

You can find our full range of training services on our website.

Information Security and GDPR Services

With the GDPR on the horizon, and the increasing sophistication of cyber-crime technology, information security is a growing concern for businesses of all types and sizes. To help our clients protect this aspect of their business, we have expanded our services to include ISO 27001 Information Security Management, and in particular, support for the new GDPR.

For more information on our consultancy and training services, please email info@ndcmanagement.co.uk or call us on 0333 939 8797.

Do the Control of Asbestos Regulations 2012 Affect My Business?

Asbestos awareness is vital.  According to the Health and Safety Executive (HSE), asbestos kills around 5000 workers each year – more than the number of people killed on roads.  When employers fail to comply with the Control of Asbestos Regulations 2012 it can be life-threatening, resulting in prosecution and potentially catastrophic fines.

Why is asbestos dangerous?

If materials containing asbestos are disturbed, then toxic fibres are released into the air.  These fibres don’t have an immediate affect but can cause fatal conditions like asbestosis, which is a lung disease, and asbestos-related lung cancers.  These diseases are not often diagnosed until it’s too late.  Protect yourself and your workers by building asbestos awareness.  You don’t necessarily need to remove asbestos.  You do, however, need to identify and manage asbestos so that it never presents a health hazard.

Am I responsible for the asbestos in my building?

Under the regulations, if you own your premises, then you are responsible.  If you are a tenant, then you might still be accountable.  Under your tenancy agreement, if you are responsible for alterations, repairs and maintenance then you are also responsible for asbestos control.  If you share maintenance duties with the owner or other occupiers of the building, then you are jointly accountable.

What happens if my employees encounter asbestos while working on or off site?

Employees need to be made aware that they should stop work immediately if they suspect asbestos is present.  Asbestos work can only be carried out by a non-licensed contractor where appropriate information, instruction and training have been given.  Under the Control of Asbestos Regulations 2012 the majority of employers working with asbestos need a license.  Employers have a legal duty to provide instruction and training to employees who are likely to come across asbestos.

What happens when the Control of Asbestos Regulations 2012 are breached?

In August this year a Wigan building contractor was fined nearly £8,000 for breaching regulations.  His work resulted in asbestos contamination of somebody’s home.  The owners couldn’t enter their house for a week while a £12,000 clean-up operation was carried out.  HSE Inspector David Norton said: ‘This incident could so easily have been avoided by simply carrying out correct control measures and safe working practices. Companies and individuals should be aware that HSE will not hesitate to take appropriate enforcement action against those that fall below the required standards’.

Understand your legal duties by reading the regulations on the HSE website.

How do I detect asbestos?

Asbestos can be found in any building built before 2000.  If in doubt, always assume the building contains asbestos.  The HSE website contains several images to help you to detect the substance.  However, it’s difficult to identify because it’s often mixed in with other materials.  You can pay an external asbestos licensed contractor to carry out a search.

How can I raise my employees’ awareness about working safely with asbestos?

NDC Global Auditors offers a half-day Asbestos Awareness course which will help you and your employees to detect asbestos, stay safe and stay legal.  Our course can be delivered on-site to your team, or your employees can attend an open access course at our Wiltshire or Surrey-based training centres.

Benefits of NDC’s Asbestos Awareness course:

As well as learning the dangers of asbestos, you will discover how to identify the different types and locations of asbestos in the workplace and on customers’ sites.  The course thoroughly covers:

  • The types of materials that can contain asbestos
  • The legal duty to manage asbestos
  • Safe work practices
  • Control limits
  • Accidental release and decontamination procedures
  • The uses and limitations of respiratory protective equipment and personal protection equipment

Why is asbestos awareness training essential?

To avoid disturbing asbestos, you must be able to spot it.  Well-informed employers understand how to reduce or eliminate the risks to their employees’ health and to stay inside the law.  Employees who are asbestos aware will be able to assess the risks on an ongoing basis, knowing when to protect themselves and how they would deal with contamination.

For further information on our Asbestos Awareness Course, visit our website or get in touch to book your place.

How Will the GDPR Affect Children’s Data Processing?

“The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’…”

The GDPR will bring in special protection for children’s personal data, particularly where it is used for information services such as online shopping, live or on-demand streaming services and for social networking.  The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’, explaining that this is because children ‘may be less aware of the risks, consequences and safeguards’ of handing over their personal data.  The regulation says that this is particularly the case when services are offered directly to a child and when their personal data is used for marketing and creating online profiles. If your company processes children’s personal data, here are the changes that will affect you:

Age of consent

“…the person with parental responsibility must give their consent for a child under 16 to share their personal data.”

Under the current Data Protection Act, a child of any age can give their personal data away online without parental consent.  This will change under the GDPR, which defines the age of consent as 16.  The GDPR states that the person with parental responsibility must give their consent for a child under 16 to share their personal data.  Data controllers are required to make ‘reasonable efforts’ to verify parental consent.

NOTE: Recital 38 states that parental consent is not required for counselling services offered directly to a child.

Member states may choose to change the age of consent from 16.  The UK government is planning to lower the age of consent to 13.  This won’t have too much impact on children’s social networking because children under 13 are already excluded from social networking sites such as Facebook and Snapchat.  However, under the new regulation organisations are likely to have to verify the ages of their subscribers, which they don’t have to do presently.  For services aimed at under-13s, organisations will have to prove that they have received parental authorisations.

Privacy notices

“Privacy notices for children must be…concise, transparent and in plain language.”

Privacy notices for children must be as transparent as those written for adults – the GDPR’s Article 12 says the information provided to data subjects must be concise, transparent and in plain language. Just like adults, children must know the identity of the data controller and how their personal data will be processed. They must also be made aware that they can withdraw their consent to data processing at any time (see the previous blog post ‘What will consent mean under the GDPR?’ for more information).  When writing privacy notices aimed at children, data controllers must take account of the specific age group of their audience so that they write in clear language that the child can easily understand.

Can you justify processing children’s data under GDPR rules?

“…the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child.”

GDPR Article 6 (1) (f) says that the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child.  Data controllers must make sure they have documentation to show that they have carefully considered this.  When we look at the GDPR definitions of ‘legitimate interests’, we can see that processing children’s data is unlikely to be necessary for most of these purposes.

Legitimate interests include:

  • processing for direct marketing purposes or preventing fraud – Recital 47
  • transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee – Recital 48
  • processing to the extent strictly necessary for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems – Recital 49
  • reporting possible criminal acts or threats to public security to a competent authority – Recital 50.

Codes of conduct

“It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.”

GDPR Article 40 requires member states to create their own codes of conduct. This includes safeguarding children’s data, specifically the way in which consent is gained and documented.  It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.

How can my organisation plan for changes?

Start by ensuring that:

  • you watch for the publication of codes of conduct that might impact your data processing
  • you implement appropriate parental consent mechanisms, including verification processes
  • where you offer services directly to a child, the notices are written in child-friendly language
  • any reliance on ‘legitimate interests’ to process children’s data is supported by carefully documented evidence to show that the child’s interests don’t override those of your organisation

For further advice and support on meeting the requirements of the GDPR, contact our lead auditors on 0333 939 8797 or email us at info@ndcmanagement.co.uk.   

What Will ‘Consent’ Mean Under the GDPR?

“Under the GDPR the definition of consent is clearer and more rigorous…”

The current Data Protection Act (DPA) and the GDPR both state that every organisation that processes personal data must have a legal basis for doing so; ‘consent’ is just one choice. If consent is your chosen legal basis then you need to be aware of differences between the current DPA and the GDPR.  Under the GDPR the definition of consent is clearer and more rigorous in order to ensure a consistent approach across the EEA.

The definition of consent in Article 4 (11) of the GDPR is: ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’  Let’s look at some of the words and phrases in detail:

Freely given

“…data subjects must provide consent of their own free will and must never be misled…”

Current Data Protection guidance states that data subjects must provide consent of their own free will and must never be misled or somehow negatively impacted by refusing consent. The GDPR formalises this, stating the consent is not deemed as freely given when:

  • ‘the data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment’ (Recital 42).
  • ‘there is a clear imbalance between the data subject and the controller’ (Recital 43). This especially applies when the data controller is a public authority with power over the data subject.

Recital 43 says that consent is not deemed to be freely given if the provision of a service is conditional to the data subject agreeing to have their data processed in ways that are not necessary to that service. The reason is that the data subject has no choice but to agree to this unnecessary processing.  Recital 43 also says that consent is not freely given if separate consents are not obtained for different data processing operations.  ‘Bundled’ consents are usually invalid.

Specific

“A general consent to unspecified processing operations will normally be invalid.”

Consent must be specifically obtained from the data subject for each and every personal data processing operation. A general consent to unspecified processing operations will normally be invalid.  There are exceptions to this such as when data processing is for scientific research.

Informed

“…data subjects must be informed of their right to withdraw consent …”

The GDPR states that:

  • ‘the data subject should be aware at least of the identity of the controller and the intended purposes of the processing’ – Recital 42.
  • ‘data subjects must be informed of their right to withdraw consent at any time prior to giving consent’ – Article 7 (3)

Unambiguous…clear, affirmative action

“…pre-ticked boxes and silence do not constitute consent.”

Under the current DPA, consent must be unambiguous. The GDPR takes this further.  Consent requires a clear affirmative action – pre-ticked boxes and silence do not constitute consent.  Clear affirmative action could be obtained in writing which includes electronic forms, or it can be oral.  Obviously oral consent makes it more difficult to prove that consent has been obtained.  Online forms should be written in plain language so that there is no question that the data subject understands what they are agreeing to.  Where consent is included in terms and conditions then it must be presented so that it stands out from the rest of the document.

The right to withdraw

“Organisations must make it easy to withdraw consent…”

GDPR Article 7 (3) says that data subjects must be able to withdraw their consent at any time. They must be informed about their right to do that at the time of granting consent.  Organisations must make it easy to withdraw consent, therefore if your company relies on consent as their legal basis you need to make sure that this won’t pose considerable challenges.

‘Explicit’ consent

“…explicit or express consent is given in writing with a handwritten signature.”

Where the GDPR sets out the legal requirements for sensitive data it uses the term ‘explicit consent’ rather than just ‘consent’. Sensitive personal data is information about a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or criminal offences. The GDPR doesn’t define the difference between ‘explicit consent’ and ‘consent’. Therefore you could take the advice of the Article 29 Working Party in Opinion 15/2011 who consider that: ‘…explicit or express consent is given in writing with a handwritten signature.  For example, explicit consent will be given when data subjects sign a consent form that clearly outlines why a data controller wishes to collect and further process personal data’.

How can my organisation prepare for changes to consent?

If you are relying on consent as the basis for lawful processing make sure that:

  • consent doesn’t rely on silence or pre-ticked boxes
  • consent is specific to each type of processing that you carry out
  • consent isn’t embedded within other documents like your terms and conditions, but stands out
  • the supply of your service isn’t on the condition of data subjects supplying consent for processing activities that are not necessary to your service
  • data subjects are clearly informed that they can withdraw consent at any time
  • methods for withdrawing consent are easy to use
  • separate consents are obtained for each processing operation
  • consent is not the legal basis for processing personal data when there is an imbalance between the data subject and data controller.

Final point: make sure that you are aware of all types of legal basis for processing data. Under the GDPR, using ‘consent’ as your legal basis for processing personal data is not always the easiest or best option.

For further advice and support on meeting the requirements of the GDPR, contact our lead auditors on 0844 826 6006 or email us at info@ndcmanagement.co.uk.   

5 Benefits of Task-based Risk Assessment

Risk assessment is a fundamental health and safety requirement in any type of organisation. When it comes to the manufacturing and engineering industries though, the value of task-based risk assessment goes beyond meeting legal requirements and keeping workers safe. Here are five reasons to include task-based risk assessment in your organisation’s core training programme.

1. It’s good practice

Task-based risk assessment forces the assessor to understand each step involved in a work-based task or process, and to examine all aspects of the activity being assessed, such as:

  • the task itself
  • the environment in which it takes place
  • the people that the task affects
  • the maintenance requirements of the equipment and plant involved.

This systematic exploration of an activity is both proactive and thorough. It give the assessor an understanding of the risks involved in any given task, and of how wider organisational systems and processes impact on that task.

2. It’s inclusive

It’s impossible to conduct task-based risk assessment without directly involving the employees that carry out the task in question. This brings a number of benefits:

a) Tests if your policies and processes translate directly in practice. Assessing a task allows you to see exactly how it is carried out on the ground. Employees that perform the task can give valuable insight into why written procedures might not be practical or safe in reality. Where unsafe working practices have become the norm, the assessor has the opportunity to discuss with workers which alterative safe methods could work in practice.

b) Encourages employee buy-in. When employees feel consulted, they generally feel more motivated to engage. Staff that have contributed to a risk assessment process are far more likely to adhere to the assessments recommendations.

c) Encourages a positive reporting culture. Employees are morel likely to report potential risks if their observations are acted upon, and they feel that they are contributing to wider organisational goals.

3. It highlights quality and operational issues

Because task-based risk assessment looks into whole processes, it can identify wider quality and operational issues within your organisation. Involving your quality or continuous improvement managers in the task-based risk assessment process can help to meet wider strategic aims and improve communication across functions.

4. It reduces costs

Once embedded within your organisation, task-based risk assessment, and an associated training programme, can help reduce health and safety costs by:

  • proactively identifying and preventing risks
  • improving working practices
  • reducing insurance premiums and litigation fines — providing evidence of your task-based risk assessment training programme and practices can increase eligibility for premium discounts and leaner fines in the event of a compensation claim.

 

5. It drives continuous improvement

Task-based risk assessment requires that you review risk whenever there is a significant change to the task (equipment, personnel, environment, materials used, etc.). This approach to risk management demonstrates a commitment to continuous improvement in your health and safety practices. This is not only good practice in itself, but also meets the criteria for standards such as OHSAS18001, the new ISO45001, and ISO9001: 2015.

Are you ready to train your team?

NDC is the only provider of the IOSH approved Task-based Risk Assessment training course. Our 5-day course offers the knowledge, skills and practical application of task-based risk assessments for:

  • general risks
  • CoSHH
  • display screen equipment (DSE)
  • manual handling operations
  • work at height.

We deliver the course on your premises so that delegates have the opportunity to practice risk assessment techniques in their working environment. This is an assessed course — successful delegates receive an IOSH-approved Task-based Risk Assessment certificate upon completion. All course participants receive a workbook to help them put their learning into practice after the course.

For further information or to book a course, contact us on 0844 826 6006 or info@ndcmanagement.co.uk.