Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Questions regarding GDPR


    I would very much appreciate some clarifications of the above:

    Are there any available GDPR certifications?

    If you are looking for a certification of individuals, GDPR does not require any certification.
    Even the DPO role does not require being in possession of a certification, yet DPO must have deep knowledge of GDPR and privacy regulations. 
    In reference to companies, article 42 GDPR encourages the Member States to establish a data protection certification mechanism for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. 
    There is plenty of courses in the market. Advisera also developed a free course where you can purchase access to the examinations and get a certificate. So if you are looking for a solution in order to certificate the process of your company as data controller or data processor you can look for these solutions on the market.
     

     

    How do I start with mapping my processing activities?

    The first thing is to know your business. Think about:

    - what data do you collect (i.e. name, surname, telephone numbers, IP address, physical address, pictures, health data, etc), 
    - who collect them (i.e. administration, HR, management,) 
    - why you collect them (i.e. provide a service or a product, video surveillance, security reason, public interests,) 
    - how do you collect (i.e. do individuals provide data to you through a form, a contract, website, with/without consent)
    - long do you store those data (the time which is necessary to provide the service, 1 hour, 1 year, 10 years, for a legislatively determined period)
    - where do you store data (physical archives for paper documents, cloud service, internal servers)


    You can find some useful information here:
    - 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/
    - 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

    - In our Advisera GDPR Toolkit, there are Guidelines for Data Inventory and Processing Activities Mapping, here you can download a free demo in order to verify if it suits your business needs: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/


     Is there any video surveillance policy available in the toolkits?

    We did not include video surveillance policy in the toolkit because video surveillance is not directly regulated by GDPR, and most EU countries have their own rules. You should verify compliance with the internal rules of your country.
    Most rules require to highlight security reasons for video surveillance, to avoid workers monitoring and public path.
    They can require you to minimize the period you store images before overwriting them, to determine who can have access to images (you should set access procedures to those images) and the location where records are stored. Most Surveillance Authorities or Member States have set their specific requirements to comply with.
    You can draft your own policy considering your country requirements and the limits set in GDPR as a data processing policy using the blank template from the GDPR Toolkit.

    You can also schedule a call with Advisera's expert who can provide you with some guidelines on how to proceed with this document.
     

    I am negotiating with a Data Processing Contract with an insurance company. Are these companies controllers or processors?

    It depends if they process personal data on your behalf or not. 
    Insurance companies usually are considered as data controllers because they determine the purposes and means of data processing on their own. 
    However, if they can have direct access to your internal data (i.e. geolocalization data from security tools installed on board of your company car fleet) and process them on your behalf, by storing data in their servers, they can be considered data processor with reference to those data.


    Here you can find some references referring to data controller and data processor:
    - EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

     

    How can I best present a privacy notice? Do clients need to sign the notice

    Signature is a clear sign of knowledge yet it is not mandatory. GDPR only requires you to inform your customers on your data processing activity and collect their consent when required.
    Consent can be acquired through signature but also orally or by a clear affirmative action (i.e. clicking on a flag boxes)
    Therefore, you can present a privacy notice as a link in your email signature in order to make easy for them to be informed, you can attach a privacy notice to your contracts, you can also inform them via telephone and register their consent (if needed), most depends on your activity.


    Here you can find some useful material to make a GDPR Privacy Notice:
    - Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
    - Article 13 GDPR https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/

  • ISO 9001 / QS Registered

    The term “registered” is sometimes used in North America where the rest of the world (and sometimes in North America) the term “Certified” is used. This is why the terms “registrars” and “certification bodies” are sued for the audit companies that perform these audits. So, the term registered is not necessarily obsolete, but can be confusing for some companies, especially outside of North America. The “QS registered” is not really a term used any more as this was mostly attributed to automotive.

    What you should scrutinize more is what your labels are sued for. For instance, if you are labeling products that they are “ISO 9001 registered” this is not correct, as ISO9001 certifies the management system and not the products. For more details on how the certification marks and labeling can be used you should talk with your certification body (or registrar) on the rules for using certification labels.

  • ISO 9001 / Supplier approval requirements

    Your organization approves a procedure with supplier approval requirements. You can divide time before and after the approval of the procedure. After approval you have to follow the procedure, regular suppliers before the procedure approval can be grandfathered. You can list regular suppliers and state that they are approved based on past performance. 

    The following material will provide you more information about supplier performance:

    - How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Screening requirement

    Please note that if control A.7.1.1. (screening) from ISO 27001 is applicable to your ISMS, then you have to apply it to all candidates for employment (by sampling candidates you will not be fulfilling the requirements for the control).

    What you can do to minimize effort is to apply screening only to roles that are related to unacceptable risks, or because legal requirements require the screening to be performed. Additionally, you can perform the screening only at late stages of the hiring process, when you will have fewer candidates to evaluate 

    This article will provide you a further explanation:
    - How to perform background checks according to ISO 27001 https://advisera.com/27001academy/blog/2018/03/26/how-to-perform-background-checks-according-to-iso-27001/

  • ISO 9001 / Certification and Trainings

    I do not know if under Philippine law you have to comply with any legislation in order to conduct training as a professional. So, let us skip that and believe that anyone can start a training business. Now, you want customers. Potential customers would like to have evidences of your know-how on the subject. 

    One way of getting evidences of know-how is to have a certificate stating that. Advisera developed a set of online courses that allow people like you to enroll for free in a course and at your own pace follow the course and at the end make an exam and get a certificate recognized by Exemplar Global. Currently Advisera has the following courses:

    Advisera also has a blended or hybrid course (online course at own pace and an 8h online workshop):

  • Integrating EMS into a Quality Management System

    If your QMS is already compliant to the ISO 9001:2015 standard, then it becomes easy to integrate the ISO 14001:2015 standard for an EMS, or even the ISO 45001:2018 standard for an OHSMS. All of these standards follow a common format, so it is easy to go through an see which requirements are common, meaning that you can use a common process. You will need to perform a gap analysis to the additional standard to see what additional requirements you need to add.

    The most common processes to be easily integrated include Internal Audits, Corrective Actions and Management Review. However, you can also reuse many processes such as the identification of interested parties and their needs and expectations. If you have already done this for your QMS, you just need to use the same process and re-think who the interested parties are for your EMS or OHSMS.

    For more detail on integrating management systems, see our whitepaper: How to integrate ISO 9001, ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001

  • ISO 27001 data center control requirements

    I have a question, what ISO 27001 data centre control requirements for facilities and operations?

  • Privacy perspective for facial reconstitution software

    I want to set up a startup and develop software for facial reconstitution.

    Are there any constraints from a privacy perspective?

     

    Most constraints will depend on the kind of software you are going to develop. Consider that if your software does facial recognition it will be considered as biometric data under Article 9 GDPR so consent will be needed from the end-user of the software.

    If it is a software used for forensic reasons it may be under Article 9, letters (f) and (g), GDPR so that consent may not be needed. 

    For more information, please see the article: 
    Article 9 GDPR: https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/

     

    What do I need to consider before in the implementation stage?

     

    In the early stage of setting up a startup for developing facial reconstitution software, you need to make a Data Protection Impact Assessment in order to verify what kind of data your company will process and how it will handle and secure them.

    In these articles, you may find some help and guidance:

    In developing the software, you should consider the principles of privacy by design and privacy by default as set in Article 25 GDPR. Here you can find more information about those principles:

     What is privacy by design & default according to GDPR?: https://advisera.com/eugdpracademy/blog/2018/04/17/what-is-privacy-by-design-and-default-according-to-gdpr/

     

    Is it required for us to have a DPO?

    In case your software uses biometric data, DPO appointment is mandatory under Article 37 letter c GDPR, because your core business will be the processing of special categories of data. 

    You can read more about it in the following article: 
    - How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/

    - The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/ 

     

    We are planning to use AWS for storage is this OK or is better to keep the data in our own servers? 

    There is no one answer. It is up to the data controller to assess if data are better protected with internal servers or with a cloud solution.

    AWS, as a storage provider, claims to be committed to having the highest security and compliance and privacy standards. You will need to check the terms of service of AWS in order to verify protection standards and decide which measures ensure a level of security appropriate to the risk. 

     

    Do we need to perform some kind of risk assessment before starting? 

    Article 35 GDPR requires to perform a Data protection impact assessment (DPIA), where using new technologies there is a high risk for the rights of freedom of individuals. However, DPIA is highly recommended also when it is not mandatory in order to demonstrate accountability to GDPR provisions. 

    For more information, please read the article: 

     5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

     

    How would ISO27001 help us? 

    ISO27001 implementation may help you to have an international standard for Information security risk and be accountable to security measures under Article 32 GDPR although there is no complete match between the two rules.

    These materials will also help you regarding GDPR implementation:

     What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help

    - EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • GDPR and Coronavirus

    We are an international university (and the university is also a city where everyone who works and studies also lives/resides).  As such, we are currently placing individuals who are returning from high risk areas (of the Coronavirus) or those whom have had contact with those in high risk areas (i.e., roommates) in quarantine.

    It would be great to receive some guidance on things we should be able to do in terms of GDPR in the context of:

    • Informing them we will place them in quarantine
    • Sharing information of those who are placed in quarantine (we may for example send to housekeeping, their course instructors, etc.)

    You must inform the individuals returning from high risks areas about how you will process their data concerning health (collecting, sharing, storing data), why you are collecting their data about health. Please consider that while health data is included among the special categories of data under Article 9 GDPR, the reasons for public health allow you to process these data without consent. Although consent is not needed, you always must inform individuals about how their data are processed.
    You should also reveal how long will you retain this data (as long as the public health risk is concrete)

    You can find more information about:
    Public health reasons for processing special categories of data in Paragraphs 52-55 of the Preamble of GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=IT#d1e1374-1-1 />Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

  • Information Security Policy vs. IT Security Policy

    IT Security Policy is a document which allows your company to comply with security measures under Article 32 GDPR for Information systems and Information assets, it identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources. The goal of an IT security policy is to keep systems and information confidential, available and intact.

    Information Security Policy is a top-level document that defines general principles and responsibilities for information security - it does not go into details like the IT Security Policy does.

    These materials will also help you regarding Information security policy:

    -    What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/  

    - EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course// 
Page 448-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +