What would be the appropriate method of verifying the ID of the person who submits a DSAR, more specifically, if the request isn’t done in person (ie. by phone or e-mail)?
Instead of using an external 'independent' audit team from a third party, can we setup an internal audit team that is separate from those who currently manage our security, IT and GDPR processes to audit how well our company is implementing and adhering to our GDPR policies?
In section 7 of the DSAR Procedure document I have some questions.
Controller/Processor and DPO
Our company provides a School Information/Management System to schools worldwide. The schools determine what data they want to collect about the families/students and how they will use it in regards to the operation of the school. We develop, maintain and operate the database where all of this information is stored and accessed by numerous entities in the school and including parents. Employees from our company also access the school site to help in training, importing data into our system, and of course customer support.
Steps to become GDPR compliant
I work for a Company that develops telemedicine software. Our software is HIPAA compliant. Recently, we received one client request to be GDPR compliant. Could you please guide me how approximately it would take to become GDPR compliant both in terms of cost and time.
Legal review of GDPR documentation
By the way, from your experience, which of the policies and GDPR documentation’s in this toolkit need a Legal review once completed?
Data Transfer Agreement
We are a small- sized processing company based in Switzerland, using suppliers/co-processors in the EU. I am going through the GDPR for DPO's training and want to quickly check my understanding. Am I right to assume that for EU suppliers we do not need a change of contract (relating to data transfer), whereas if we had suppliers from the US for example, we would need to formalize data transfer in form of a contract?
Herramienta para calcular brecha con el RGPD
Me podrías comentar si disponeis de alguna herramienta que te calcule la brecha con la RGPD?
Combining DPO and ISO role
I am curious to know what is your opinion about combining Data Protection Officer and Information Security Officer roles in a small to medium companies? Is this a good idea, or not, and why?
CROSS BORDER PERSONAL DATA TRANSFER PROCEDURE
I've started reading thru the 27k/gdpr combined doc set. I noticed in A.13 CROSS BORDER PERSONAL DATA TRANSFER PROCEDURE in the body the document is referred to as "this policy" where the title is "...procedure". Is this a mistake or do you intend to use policy and procedure interchangeably?