Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • GDPR queries

    What is the prime difference between ROPA & PIA?

    I assume that for ROPA you mean Record Of Processing Activities under Article 30 GDPR and PIA as Privacy Impact Assessment which is another way to name Data Protection Impact Assessment DPIA under Article 35 GDPR.

    If so, ROPA can be seen as a consequence of PIA. PIA is crucial to apply the principle of Privacy by design in your organization. You need to evaluate the process according to the GDPR principle, assess risks, and then establish how your data processing will be carried out. ROPA, therefore, is the result of processes selected as compliant to privacy by design and other data processing principles that have been considered and assessed in PIA.

    While assessing a vendor, once I am done with the Information Risk Assessment Questionnaire, how would I be able to identify if I have to proceed with ROPA or PIA?

    PIA and ROPA are two different activities. Therefore, you need to assess risk with PIA, select the most compliant process, and then record them in ROPA.

    I have created ROPA and PIa questionnaires and added below sections; do these make sense or am I missing out on something?

    ROPAContact InformationBasic information on processing and responsibilityData CollectionPurpose and legal basis of data processingData transfers and recipientsStandard period for data erasureMeans of processingGroups with access authorization (simplified authorization concept)Technical and organizational measures (Art. 32 GDPR)Data portability

    PIABusiness / Project InformationGeneral InformationAttributes of the Data (use and accuracy)Sharing PracticesNotice to Individuals to Decline/Consent UseData sharingAccess to Data (administrative and technological controls)Privacy AnalysisRetention and Deletion

    Article 30 GDPR list the requirement of ROPA for the controller in paragraph 1 and for processors in paragraph 2. You are missing the categories of data subjects, the suitable safeguards adopted in case of transfer of data in third countries.

    Article 35 par. 7 GDPR requires for PIA at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  • the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

    • In your questionnaire, it seems that the assessment part and evaluation of risk are missing unless the title of section includes it. Remember to identify the data subjects and evaluate the risk of freedom and their rights.

    Here you can find more information:

    We developed some EU GDPR document template that might be helpful:

    You can also consider enrolling in our free EU GDPR Foundations Course

    • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 

    • Doubts regarding the policy, scope ISO 27001:2013

      I would like to know how I can consider doing my company's procedures if 95% of my infrastructure is on AWS.
      For example, I wanted to think about whether AWS can share their SOA with me to learn about their goals and rationale for controls and align them with those of AWS.
      The only computers that are in the facilities are the PCs and all access via VPN to AWS.

      Regarding the ISMS scope and policies, you only need to focus on the part of the cloud infrastructure that you have direct control over (this will depend on the contracted cloud service - i.e. you would include data for SaaS, or data and application software for IaaS.).

      Examples of what needs to be done within the company are: security training and awareness, access control (defining who has the access, periodic review, etc.), etc.

      The part controlled by AWS you can handle through controls from section A.15 - Supplier relationships. In short, you need to identify the relevant risks related to the infrastructure controlled by AWS and check if the way they handle such risks is acceptable for your organization, and are properly documented in the Terms of Service. For that your understanding is correct, you can ask for the AWS SoA, so you can evaluate the applied controls, and check if they are included as security clauses in the Terms of Service. 

      You'll find a more detailed explanation here:

    • Scope of ISO 9001 and ISO 27001 integrated management system

      Please note that neither ISO 9001 nor ISO 27001 prescribe how to elaborate documents, so organizations are free to create them as best fit their needs.

      Considering that, both approaches (separate documents or integrated into your manual) are acceptable by these standards.

      Decision criteria you may use is the effort to keeping separate documents versus the size and complexity of a single manual.

      This article will provide you a further explanation about elaborating documents:

      This material will also help you regarding document management:

    • Internal audit options

      Internal audit can be performed by the organization's own employees, provided they have the competence and do not audit their own work. Or you can contract a third party to perform the audit (unfortunately, we do not provide such kind of service).

      As for to chose a third-party to perform the audit, you should consider at least these criteria

      • Experience and skills
      • Reputation
      • Understanding about your industry

      These articles will provide you a further explanation about internal audit:

      These materials will also help you regarding internal audit:

    • ISMS framework

      ISO 27001 aspects on the business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations, so a full Business Continuity Plan is not mandatory for this standard, and you will only need the DRP.

      To see how a DRP compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our Disaster Recovery Plan at this link: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

      This article will provide you a further explanation about DRP and BCP:

    • Chance to avoid the de-certification process

      "My plant has an open but 100% resolved NC due to poor performance with GM. They are scheduled to have the special audit in September to close the NC but meanwhile, the performance with the customer has been degraded instead of improving. Due to the increased number of complaints, they will still stay Red with GM until at least January 2021.The question is:1. What is the chance to avoid the de-certification process?

      I recommend you to be in close contact with your certification company as this issue is very critical. You should improve your GM performance results without wasting time. I would like to give you some information about this topic about IATF rules.

      IATF revision 5 rules are written for decertification in item 8.1 "a"

      The start date of the decertification process shall be the date of any of the following:

        1. The certification body receives a performance complaint against the client from an IATF OEM member, its relevant IATF Oversight office, or any automotive customer of the client.

        2. The client advises the certification body of a special status condition from an IATF OEM. Notification from the client to the certification body shall occur within ten (10) calendar days from receipt of the special status condition or otherwise specified by the customer

      The IATF revision 5 rules are set out in article 8.2 as follows:

      8.2 Analysis of the situation

      The certification body shall undertake immediate analysis of the situation to determine the severity of the situation and risk to the customers of the certified client, taking into account, where applicable, IATF OEM customer-specific requirements. This analysis shall be completed within a maximum of twenty (20) calendar days from the start date of the decertification process. Where major nonconformities are raised, the analysis shall include a review of the client submitted root cause including the method used; analysis, results, and implemented correction (see section 8.1 a) and 8.1 c). When the affected site is part of a corporate audit scheme, the analysis shall include a review of the concern and its impact across all sites.

      According to the rules, since there is a problem with a performance from GM, the de-certification process has to be started. So because you received bad performance notification, the de-certification process has to be started.

      IATF Rules stated in revision 5, item 8.4 as follows:

      8.4 Verification

      The certification body shall verify the effective implementation of the identified corrective actions from the certified client within a maximum of ninety (90) calendar days from the start of the decertification process. The decision to conduct onsite verification shall be at the discretion of the certification body. The certification body shall maintain records of the justification of the decision.In situations where the decertification process has been initiated due to major nonconformities (see section 8.1 c), the certification body shall conduct onsite verification ( see section 5.11.4) and the onsite audit shall be considered a special audit (see section 7.2) and be entered in the IATF database.In situations where the decertification process has been initiated due to a special status condition from an IATF OEM (see section 8.1 band section 1 0.0), the certification body shall conduct onsite verification and the onsite audit shall be considered a special audit (see section 7.2) and be entered in the IATF database. In situations where the decertification process has been initiated due to a surveillance audit not conducted on time (see 8.1 e), the onsite audit shall be the rescheduled surveillance audit and be entered in the IATF database.In situations where the corrective actions are not effectively implemented, the audit team shall recommend the withdrawal of the certificate.

      Can we present a newer plan approved by GM and the NC be carried over and be reviewed during a future special audit? Thank you very much.

      In the special audit that will take place in September, you should present your detailed root cause analysis and corrective action plan. Even in this audit, the recovery trend, which is the result of your actions, should be seen on the GM portal. If there is no improvement trend, the additional time may be taken by the decision of GM and Certification company.

      As stated in IATF Rules revision 5, item 8.5: The certification body shall make a decision to reinstate or withdraw the certificate, which shall include a certification decision (see section 5.12) within a maximum of 110 calendar days from the start of the decertification process. In other words, within 110 calendar days, the certification company has to decide on the subject.

    • ISO 9001 List of Documents needed for ISO Surveillance Audit

      Unless the audit team previously specifies any particular set of documents to be seen, for example when sending the audit agenda, you must be prepared to show any documents or records. Remember that some topics are always audited: internal audits; corrective actions, complaints, management review, quality objectives, risks and opportunities and context.

      You can find more information below:

    • ISO 9001 Project Phase

      Perhaps a 2x2 matrix where you relate the former and the actual organization structure could be useful to relate any change of responsibilities and authorities among functions. Then, it is a matter of updating documentation already created.

      The following material will provide you more information:

    • Requirements for implementation of ISO/IEC 17025:2017 in quality control lab

      The application and requirements of ISO 17025 for a Quality control laboratory is the same as any other testing laboratory. The only difference is that your client is internal, being the production facility. This means that the context is different, so the way you handle, for example your risks, opportunities and impartiality could be to a different extent. The laboratory may also, for example have a basic service level agreement with production  and the reporting requirements may be simplified, on agreement with production. Depending on your sector, there could be other interested parties, such as regulators and other standards that may in fact require your quality control testing laboratory to be ISO 17025 accredited. Either way, both the laboratory and production will benefit from the efficiency provided by the management system.

      Have a look at the free demo of the ISO 17025 Documentation Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ to provide further support.

      The following articles may be of interest:

      Six key benefits of ISO 17025 implementation at https://advisera.com/17025academy/blog/2019/10/18/six-key-benefits-of-iso-17025-implementation/
      What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/

      Also have a look at similar topics in the 17025 Expert Advice Community:

      ISO 17025 for internal quality control laboratory at https://community.advisera.com/topic/iso-17025-for-internal-quality-control-laboratory/
      Is it possible for the company's internal lab to get ISO accreditation? at https://community.advisera.com/topic/is-it-possible-for-the-companys-internal-lab-to-get-iso-accreditation/
      Assuring impartiality and confidentiality (for an internal laboratory) at https://community.advisera.com/topic/assuring-impartiality-and-confidentiality/
Page 327-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +