Let’s say we’ve completed all our GDPR documentation, policies, and our contracts, processes, etc. are GDPR-compliant, what happens next? Are we supposed to send it to the ICO/SA (we’re in the UK) or do we hold onto it until requested by the SA?
Controlling customer data
I wanted to ask you a question about GDPR in relation to controlling CUSTOMER (DEBITOR) data. As this is not PERSONAL data, GDPR doesn’t apply. Correct?
Employee background check
Can you please provide clarity on employee background checks as it relates to ISO 27001 and GDPR? My understanding is from an ISO 27001 standpoint it’s not necessarily required but it should be part of the risk assessment as to whether or not to perform them. With GDPR, my understanding is that it actually won’t even be allowed anymore?
Is there any examination required before someone becomes GDPR Consultant?
GDPR - Supervisory Authorities
We are a business operating offices in the UK, Canada, US and Australia but each business is a separate legal entity. As far as GDPR is concerned, we collect PII from EU citizens in the UK and that data is sent to our US offices for further processing. That data may also be partially shared with our Australia and Canada offices. In terms of the types of Supervisory Authorities how do we determine where we need to have a Supervisory Authority, a Lead Supervisory Authority, and a Local Supervisory Authority? Do we need to just determine an SA only for the UK or since we’re transferring data to a 3rd country, do we also need to determine a Lead SA/Local SA?
Data importer and Data exporter
What is the definition and role in GDPR for data importer and data exporter?
SaaS providers and EU GDPR
We use SaaS vendors quite a lot in our company. How can we fulfill the requirement of having signed Supplier Data Processing Agreements with large SaaS vendors, for example an IBM, Microsoft, Cisco, etc., who are unlikely to sign something like that? Then, at the other end of the size spectrum, how about small vendors who we pay something like $50/mo. who have probably never dealt with GDPR? For example, a small SaaS vendor that hosts calendaring and appointment schedule for our clients.
Processing of publicly available personal data
How does the GDPR apply to software that is crawling the web and gathering publicly available email addresses (in order to help others quickly find business emails connected to a domain)? This is public data (not collected from individuals, but found on websites and also found on Whois). But the what that bothers me is that the data has to be cached/stored so that the software can work and that could be problem. I would really appreciate if you could point me in the good direction of my research. So far I found nothing very relevant (except that for example Whois is still in debate with GDPR representatives).
Applicability of EU GDPR
I work for an American organisation who owns companies all over the world including UK and Europe.
EU GDPR requirements for data controller and data processor
Have you come across EU requirements that Controller and Processor have to be assessed/Certified to hold these positions?