In a previous post, Advisera (Andrei) indicated that we are not required to send any of our completed documentation to our Supervisory Authority (I assume it’s only required in the event of a breach or complaint). If we’ve completed all our documentation and we feel that we have the proper processes and procedures in place who actually determines or how do we know if we’re GDPR-compliant?
Need for Data Protection Impact Assessment
We currently have lots of processes in place, Risk register so we assess and measure risk not sure what if we need a DPIA?
As a complete beginner on the subject, I am wondering if the DPIA is to be performed is dependent on the size of the company. In other words, do you treat a one-man company differently to a company with 200 plus employees? On an even simpler level, does my own business contact list also fall within the DPGR and must it be maintained separately from my personal contact list?
Article 30 Records of processing activities
I’ve had a chance to look through the Toolkit and I don’t see anything relating to reporting requirements. Specifically, I’m wondering if you have a template for Article 30 reporting and/or any other report requirements. Am I missing that in the templates or is that something Advisera doesn’t have at this time?
GDPR Documentation Process
Let’s say we’ve completed all our GDPR documentation, policies, and our contracts, processes, etc. are GDPR-compliant, what happens next? Are we supposed to send it to the ICO/SA (we’re in the UK) or do we hold onto it until requested by the SA?
Controlling customer data
I wanted to ask you a question about GDPR in relation to controlling CUSTOMER (DEBITOR) data. As this is not PERSONAL data, GDPR doesn’t apply. Correct?
Employee background check
Can you please provide clarity on employee background checks as it relates to ISO 27001 and GDPR? My understanding is from an ISO 27001 standpoint it’s not necessarily required but it should be part of the risk assessment as to whether or not to perform them. With GDPR, my understanding is that it actually won’t even be allowed anymore?
Is there any examination required before someone becomes GDPR Consultant?
GDPR - Supervisory Authorities
We are a business operating offices in the UK, Canada, US and Australia but each business is a separate legal entity. As far as GDPR is concerned, we collect PII from EU citizens in the UK and that data is sent to our US offices for further processing. That data may also be partially shared with our Australia and Canada offices. In terms of the types of Supervisory Authorities how do we determine where we need to have a Supervisory Authority, a Lead Supervisory Authority, and a Local Supervisory Authority? Do we need to just determine an SA only for the UK or since we’re transferring data to a 3rd country, do we also need to determine a Lead SA/Local SA?
Data importer and Data exporter
What is the definition and role in GDPR for data importer and data exporter?