Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR in podcasts and video interviews
Also, I would like to know if there is a need in any type of consent from the place owner where we make shooting. F.e. I would like to shoot in WU University Campus, which document I can provide to them to agree to not to have any problems later on.
Your advice would be really great, I started to read anything I could find about this topic and got very lost and confused.
Answer:
Unfortunately, we only deal with the EU GDPR requirements so I am afraid I can not provide any information on US or Asian data protection laws.
Coming back to the EU GDPR, in order to be able to share personal information of your guests you will need to get their consent.
You can find readily available consent forms in our GDPR Consent & Data Subject Rights Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-consent-data-subject-rights-toolkit/). -
EU GDPR
1. Can you give me some info sources for the formulation of such a contract, if I do not have the personal names?
Answer:
Personal Data is any information which is related to an identified or identifiable natural person. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data so, as you can see is not only limited to names.
The document you are referring to is commonly referred to as a Data Processing Agreement in and is required under art. 28 of the GDPR.
You can find readily available templates for such a document in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/).
2. Does the data processing itself only guarantee that my application treats the data in accordance with DSGVO or does it run as I claim?
Answer:
You as the owner of the app and as a processor of personal data need to ensure that you are processing personal data in a way that is compliant with the EU. This is the purpose behind a Data Processing Agreement to give comfort to the data controller that you will be processing data in a compliant manner.
3. Do I have to protect the software itself as I would have to protect data?
Answer:
You need to ensure that your software has adequate safeguards in place to protect the personal data that is being processed. The safeguard will vary depending on the types and categories of personal data. Article 32 of the GDPR provide some examples such as anonymization and pseudonymization. -
Production data in 8.2.1 Feedback
Answer:
The following production data can be collected as part of a feedback: any non-conformities from the prodution process or any other issues seen by the production staff during manufacturing, measuring different production elements related to production optimization, monitoring of production parameters (eg line speed, percentage of scrap, equipment failure time due to failure and the like). You are responsible for what parameters will be monitored for this purpose.
If you need some more detailes how to implement requirement 8.2, please read the art icle on the following link.
https://advisera.com/13485academy/blog/2018/09/20/how-to-comply-with-section-8-2-monitoring-and-measurement-in-iso-134852018/ -
Consent, transferring and encrypting data
Answer:
Transferring personal data to third-party service providers acting as data processors is not forbidden by the EU GDPR. However, you need to ensure that the processors have on place adequate technical and organizational measures to protect the data.
2. Do I need to get consent if I want to transfer the data?
Answer:
No, you don't need to have consent to use and to transfer personal data to third party processors. However, you need to ensure that the data subjects are informed of the use of such processors via a Privacy Notice.
For more information on privacy notices check out this webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).
3. Do I need to encrypt the data before sending or what measures I need to take?
Answer:
Although not mandatory under the EU GDPR, I would strongly advise you to use encryption while sending personal data and also ask the processor to have encryption at rest. This is due to the fact that data concerning health is transferred.
You can find more information about the EU GDPR requirements on security in this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Common documents to different offices
My question is: The QMS documents of my head office can be used for UAE office or need separate QMS Documentations. If can or can`t please give your advice as to the reason why?
Note: The UAE office certification is done with a simple QMS manual without any procedures and RACI of procedures, Forms, and template, etc.
Answer
ISO 9001:2015 do not require the use of a QMS manual. So, your UAE office can decide the content of its QMS manual. What is important is that what is applicable to the Kuwait office is also applicable to U.A.E office. Same quality policy? Same process map?
If U.A.E office uses the QMS manual from Kuwait office I, as a lead auditor would like to see if your office belongs to the distribution list of the Kuwait office to ensure that updated versions are sent to your office.
The following material will provide you more information about document control:
- New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Empezar la implementación de ISO 9001
Respuesta:
Depende de lo que tengan tal vez pueda ser de utilidad para la implementación de la nueva versión de la norma ISO 9001:2015, por ejemplo algunos de los procedimientos empleados. Le recomiendo que lleven a cabo primeramente un análisis de brecha o GAP para saber con qué requisitos ya está cumpliendo su organización. Aquí puede hacer el análisis de manera gratuita - Herramienta de análisis de brecha ISO 9001: https://advisera.com/9001academy/es/herramienta-analisis-de-brecha-iso-9001/
Aquí puede descargar de forma gratuita un documento que explica la transición de ISO 9001:2008 a ISO 9001:2015 en 12 pasos (en inglés) - Twelve step transition process from ISO 9001:2008 to the 2015 revision: https://info.advisera.com/9001academy/free-download/twelve-step-transition-process-from-iso-90012008-to-the-2015-revision
En este artículo puede encontrar la documentación obligatoria en ISO 9001:2015 y la más comúnmente uti lizada - Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
En este enlace puede también descargar un diagrama (en inglés) con los pasos durante la implementación (en inglés) - ISO 9001 implementation diagram: https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
Para más información sobre el proceso de transición a ISO 9001:2015 vea los siguientes materiales:
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Aspect determination
Answer:
I have no previous experience in working with Soya Product industry. What I can advise you is to look into your organization as a black box (in a first approach you should not care about what is happening inside). The purpose of developing an Environmental Management System is to improve an organization’s interactions with the environment.
How does your organization interact with the environment, with what is outside the black box?
For example, your organization during production consumes energy, generates waste, generates noise, can generate air emissions and/or wastewater discharges. Buys soya from producers that may have a bigger or lesser impact in the soil, water and natural ecosystems.
After determining how your organization interacts with the environment you can open the black box and look for the origin of those interactions (activities, products and services).
The following material will provide you more informa tion about aspects and impacts:
Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
General Question about EU GDPR
So I wanted to know if I can automatically add businesses to the online directory in that way, without initially phoning/contacting them to get approval to do that?
Answer:
The problem is not gathering the information from public sources, especially if it is B2 B information. However, if you want to start contacting them you need to have a lawful ground for the processing which, in your case, can be either legitimate interest and consent.
If you want to find out more about the lawful grounds for processing check out this article Is consent needed? S ix legal bases to process data according to GDPR (https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/) -
Certification audit questions
1. Is it a requirement for policy & procedure for the SOA to be approved?
Answer:
It is not a requirement, but a best practice to avoid rework, to approve policies and procedures only after the SoA has been approved, because any changes in the applicability status of controls in the SoA can impact the development, or review of policies and procedures.
These article will provide you further explanation about steps for implementation and SoA:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2 - Another question is it requirement to have 3 month ISMS evidence/records before ISMS external audit?
Answer:
It is not mandatory by the standard to have 3 month ISMS evidence/records before ISMS external audit, however, some certification bodies, as part of their own processes, require the management system to be 3 months in operation before going for the certification (you should verify this situation with your own certification body).
This article will provide you further explanation about certification process:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
These materials will also help you regarding certification process:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
CISA and ISO 27001 Lead Auditor
I have passed CISM, CRISC and preparing for CISSP. My goal is to do CISSP and either ISO 27001 Lead Auditor or CISA. For now, I am in Europe, so thinking the switch to an Infosec company or environment to be in Europe or Middle East (Dubai). I understand different geographic areas have bias for either CISA or ISO 27001.
What is your take on these two courses (CISA, ISO27001), one that will fit well with my career prospects and the most marketable?
Answer:
The decision about which certification to choose will depend on the type and depth of the activities you desire to perform (both are world-wide recognized certifications for auditing). If you want to focus on auditing information security management, you should consider ISO 27 001 Lead Auditor. If you want to go beyond auditing the scope of information security, and also consider the audit of strategic relationships between information security and the information systems and business objectives you should consider CISA. Please note that these courses do not exclude each other, they only offer different perspectives about how audit the way information interacts with business.
Considering your background, and the certifications you already have taken exam, ISO 27001 Lead Auditor would add more value to your profile (CISA will add auditing skills to CISM knowledge, but the knowledge added by ISO 27001 Lead Auditor can be used as well, and ISO 27001 brand could be more attractive in Europe and the Middle East).
These articles will provide you further explanation about personal certifications:
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/training/iso-27001-lead-auditor-course/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
To see more about the course, please access: https://advisera.com/training/iso-27001-lead-auditor-course/