Search results

Implementing EU GDPR in a small company

How can a small (1-2 person) company correctly implement the GDPR?

The first thing you need to do is to know what personal data your company processes, where are stored and secured. You need to know your business.Then, you need to verify if data subjects are informed through privacy notice and they can exercise their rights.You should also verify if you took any technical and organizational security measures to protect personal data in your company and if your suppliers and data processors are compliant with GDPR requirements.

Here you can find more information:

• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• GDPR challenges for small companies https://advisera.com/articles/gdpr-for-small-businesses-the-most-common-challenges/
• List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

Also, what tools are available for a Marketing agency to provide its clients with GDPR implementation?

There is plenty of tools in the market that help you with GDPR implementation. However, you should be aware that there is not a one-button solution that makes your company compliant with GDPR. Compliance is a process you need to implement in your company and periodically verify and update. Advisera developed GDPR Toolkit in order to make small and medium companies easily comply with GDPR requirements.

Here you can find more information:

• EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

• ISO 9001 implementation of requirements

  Establish a set of quality objectives (clause 6.2.1) based on your organization’s quality policy (clause 5.2.1 b)).

  For example: reduce customer complaints, reduce delivery delays, reduce internal defects.

  Now, for each objective your organization must develop a plan (clause 6.2.2): what needs to be done, by whom, until when, with what resources.

  Your organization should make people aware (clause 7.3) of: the quality objectives, how they can contribute to meet them, the potential consequences of not meeting them.

  Periodically your organization should monitor the evolution of the action plans and of performance associated with each quality objective (clause 9.1.3) and evaluate effectiveness of action plans (clause 9.3.2 c) 2)).

  The following material will provide you more information:

  • Article - How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
  • Article - How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
  • Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 -
    https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Appointing the manager of the institution's website

  La nomina del responsabile del trattamento dei dati, ai sensi dell’articolo 28 GDPR, è necessaria quando un altro soggetto effettui un trattamento di dati per conto del titolare.Il GDPR considera dati personali anche gli indirizzi IP dei visitatori, pertanto se il gestore del sito effettua anche il servizio di hosting e ospita i dati dei visitatori sui suoi server (o su quelli di un suo fornitore), andrebbe nominato responsabile in ottica di maggiore compliance.

  Se invece il sito della scuola è ospitato sui server dell’istituto, il gestore del sito non effettua alcun trattamento per conto della scuola, ma risulta un soggetto autorizzato dal titolare ad aggiornare e fare la manutenzione del sito. In questo caso, sarebbe opportuna inserire una clausola nel contratto di servizio inerente alla riservatezza e al rispetto delle policy interne della scuola in materia di data protection.

  Puoi anche trovare ulteriori informazioni qui:Il GDPR dell’UE: controllori a confronto con processori – Quali sono le differenze? https://advisera.com/eugdpracademy/it/knowledgebase/il-gdpr-dellue-controllori-a-confronto-con-processori-quali-sono-le-differenze/  

  Puoi considerare l'iscrizione al nostro corso gratuito:

  • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//  

  • What should I do to be compliant?

    As you said, the Shrems II decision invalidated the EU-US Privacy Shield, therefore you need to consider using another legal ground to allow personal data transfers among the US and the EU (i.e. the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR)).

    The European Data Protection Board (EDPB) recently published a FAQ sheet on the implication of the Shrems II decision that you can find here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

    One of the suggestions made by EDPB is to consider avoiding storing personal data in the US and prefer Cloud Service Providers with servers based in the EU in order to be compliant with GDPR requirements. Please note that the decision applies to the transfer of personal data, not to all data transfers. 

    You might be also required to appoint an EU representative for GDPR compliance. It is a simple procedure with a service agreement, and you can appoint a company, a legal or another individual which can be contacted by the Data Protection Authorities in case of needs.

    Here you can find more information:

    • Full text of EU GDPR (General Data Protection Regulation) https://advisera.com/eugdpracademy/gdpr/
    • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
    • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
    • EU GDPR document template: Agreement for the Appointment of an EU Representative https://advisera.com/eugdpracademy/documentation/agreement-for-the-appointment-of-an-eu-representative/

    You can consider enrolling in our free EU GDPR Foundations Course

    • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • ISO 9001 Risk register

      No, it is not mandatory to maintain a risk register. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

      Having said that, I recommend organizations to maintain a risk register.

      You can find more information below.

      • How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
      • Does ISO 9001 require a procedure for addressing risks and opportunities?: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
      • For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
      • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
      • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
         

       

    • Physical hosting in EU data centers for products and processing

      Recently the European Court of Justice (in Shrems II decision) invalidated the adequacy decision of the EU Commission claiming that US Privacy Shield granted an adequate safeguard for data protection in the United States. This means that any data transfer between the EU and the US must be on another legal ground like the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR). 

      The European Data Protection Board (EDPB) recently published a FAQ sheet on the implication of the Shrems II decision that you can find here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

      One of the suggestions that arose from EDPB is to consider avoiding storing personal data in the US and prefer Cloud Service Providers with servers based in the EU in order to be compliant with GDPR requirements. Please note that the decision applies to the transfer of personal data, not to all data transfers.

      Here you can find more information:

      • Full text of EU GDPR (General Data Protection Regulation) https://advisera.com/eugdpracademy/gdpr/
      • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
      • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/

      You can consider enrolling in our free EU GDPR Foundations Course:

      • EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

      • ISO 9001 Different types of audits

        Answer:

        1. Upstream, and downstream audits are about doing audits along a supply chain upstream or downstream from a reference point

        2. A horizontal audit is when you audit one process across many departments in the organization. A vertical audit is when you audit all the processes used by a department. 

        3. Process audits are another name for horizontal audits

        4. These are the more common types

        You can find more information below

        • ISO 9001 Horizontal audit vs. vertical audit - https://advisera.com/9001academy/blog/2015/03/03/iso-9001-horizontal-audit-vs-vertical-audit/
        • ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
        • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
        • Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ nal-auditor-course/
        • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

      • Disposal of sensitive data

        Please note that ISO 27001 does not provide technical guidance on how to perform data disposal. 

        For technical guidance, you should consider these references:

        • ISO/IEC 27040 Information technology — Security techniques — Storage security https://www.iso.org/obp/ui/#iso:std:iso-iec:27040:ed-1:v1:en
        • NIST 800-88 - Guidelines for Media Sanitization https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

        These articles can also help:

        • Secure equipment and media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/
        • 5 practical tips for media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/

      • Cleaning validation SOP for orthopedic medical device

        what I am looking for Cleaning validation SOP for orthopedic medical device"