Search results

DPIA Policy

The policy is not mandatory however, it is mandatory to perform DPIAs when the processing activities can pose a high risk to the rights and freedoms of the data subjects.

Banks and data processing agreement

Usually, banks are acting as independent data controllers in these cases. The GDPR does not expressly require any documents to be signed between independent data controllers however this is a best practice.

You can find readily available templates for a Controller to Controller agreement in our EU GDPR Premium Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/).

GDPR applicability

@Guest user

1. As a software company do we need to comply whit the provisions of Art. 30 of the GDPR?

Art. 30 Records or Inventory of Processing Activities are only mandatory if (a) the company has more than 250 employees, or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.

@Guest user

2. Do we need to perform DPIA for all the processing activities? Are there any criteria to be considered?

No, you don`t. DPIAs are only compulsory for processing activities that are considered to be high risk to the rights and freedoms of the individuals. You can find a DPIA screening questionnaire in our EU GDPR Data Mapping & DPIA Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-data-mapping-dpia-toolkit/).

@Guest user

3. How do we manage marketing communications? Are we required to obtain consent?

You can usually use consent for processing personal data for marketing purposes or alternatively you can use legitimate interest. The most common lawful ground used is however consent. When using consent keep in mind that consent must be freely given, specific, informed and unambiguous indication of the individual’s wishes. The controller must keep records so it can demonstrate that consent has been given by the relevant individual.
If you want to learn more about consent check out this free webinar How GDPR affects marketing practices (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/).

@Guest user

4. Are there any specific requirements for software development?

The EU GDPR is meant to be cross-industry so there are no industry-specific requirements. What I can mention is that when developing software you need to consider the “privacy by design” and “privacy by default” principles.

@Guest user

5. How about websites? Any advice on how to make a website compliant?

If you are processing personal data through your website then you need at least three documents: Website Terms and Conditions, Privacy Notice and Cookie Policy (if you are using cookies). You can find readily available templates in this EU GDPR Mini Toolkit for Websites (https://advisera.com/eugdpracademy/eu-gdpr-mini-toolkit-for-websites/).
 

ISO 45001:2018 legal requirements?

The legal requirements for Iso 45001:2018 will differ from company to company, and location to location, however they are any Occupational Health & Safety Laws that are relevant to your company. You likely already meet these laws in order to be in business, but the ISO 45001 standard asks that you ensure you have identified all applicable laws and then keep up to date when these laws change.

For more on this topic you can see the article: How to identify and comply with legal requirements in ISO 45001, https://advisera.com/45001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-iso-45001/

Top Management

ISO 9000:2015, the standard about vocabulary, defines top management as a person or group who commands and controls an organization at the highest level. So, each organization should consider what is, in their own case, the highest level. In a small organization, top management can be the owner. In a big corporation, top management can be a member of the board, nominated to be the top authority about the quality management system.

The following material will provide you with information about risks and opportunities:
- Article - How to comply with new leadership requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/

- Article - To what extent should top management be involved in your QMS? - https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Template content - List of Legal, Regulatory Contractual requirements

OK, thank you for your answer Rhand!

Templates content

Controls A.8.3.1 and A.12.5.1 are covered by the following templates:

• A.8.3.1: Information Classification Policy, located on folder 08_Annex_A_Security_Controls >> A.8_Asset_Management
• A.12.5.1: IT Security Policy, located on folder 08_Annex_A_Security_Controls  >> A.8_Asset_Management

Regarding control A.12.6.1, there is no template covering this specific clause.

Please note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:
1) ISO 27001 does not require each and every control to be documented
2) If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:
All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

Templates content - RTO and RPO

The RTO value can be found on cell C40 (4 hours), and this value is defined by results in sections 3 (Impacto general del incidente disruptivo) and 4 (Impacto financiero del incidente disruptivo).

For section 3, the first major consequence (level 3) occurs after 4 hours and the first massive financial impact (over 4k) occurs after 24. The RTO is based in the shortest period (i.e., 4 hours)

The RPO value can be found in section 10 (Pérdida máxima de datos), and is based on the shortest period for which you have a major consequence regarding data loss for the items you included in the questionnaire (i.e., 24 hours).

Templates and applicable controls

Your understanding is correct. Please note that included in your toolkit, there is a "List of Documents" file that identifies which controls are covered by each document in your toolkit.

EU GDPR Inventories

1. We are a small company and we have just now stated working on our compliance program.Can you please suggest what would be the best way to start with that?

The best way to start is to do an internal assessment and determine which are the areas you need to address first. I suggest to use this EU GDPR Readiness Assessment Tool  (https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/) to get an idea of where you are currently standing.

2. What information do we need to include in our Inventory?

The information to be included in the Inventory of processing activities is described in art. 30 of the GDPR. You can find a readily available template for such an inventory as a part of our GDPR Data Mapping & DPIA Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-data-mapping-dpia-toolkit/)

3. How much time do you think it will take to implement the basics?

You can use this EU GDPR Compliance Duration Calculator (https://advisera.com/eugdpracademy/free-tools/) to get an estimate on the time needed to become compliant.

4. Is there a list of documents which are mandatory?

You can find on our website at https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ a list of documents you can download. The mandatory documents are marked in the list.

5. Do you think we need to have a DPO?

This depends on your activities. You need to appoint a DPO if(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR.