Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
EU GDPR compliance and personal data
1. Where do I report a company that does not respond to my request on personal data?
2. Can a company report another company when not complying with GDPR?
3. I have a contract with accounting company. How do I become compliant?
4. I only have B2B customers do I need to be compliant with GDPR?
Answers:
1. You can report a company to the competent Data Protection Authority ( or Supervisory Authority) if you don`t get a response. However, consider that the company has one month to respond. If it has been more than one moth you can file a complaint. You can find a list of Supervisory Authorities at : https://edpb.europa.eu/about-edpb/board/members_en
If you want to find out more about your rights according to the EU GDPR check out this free webinar Data Subject Rights under the EU GDPR (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/)
2. Yes, it can however the complaint needs to refer to individuals data and not company data such as as registration number, VAT code etc. The same mechanism for filing a complaint applies as for question no.1.
3. Usually accounting companies are acting as data processors so you would first need to check if any personal data is sent to the accounting company. If this happens you would need to have a Data Processing Agreement in place with the accounting company. This document needs to fulfill the requirements set up in art. 28 of the EU GDPR. You can find a readily available template for a Data Processing Agreement in this EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/)
4. I would say yes because besides B2B data you would be processing data of the representatives of the legal entities which are individuals therefore their data is personal data. Also, if you have employees you will be processing their personal data as well thus their personal data needs to be processed based on the GDPR requirements.
If you want to find out more about the applicability of the EU GDPR check out this EU GDPR Foundations Course ( https://advisera.com/training/eu-gdpr-foundations-course//). -
Questions about ISO 22301
Answer: Number of employees and number of departments are only two of set of relevant variables to help you define the ideal time of implementation (e.g., you also have to consider the experience of the implementation team, and organizations structure). To consider all these variables I suggest you to use our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
2. What are the things that I need to lookout for if a business unit (BU) wants to be certified for ISO 22301, rather than the organization?
Answer: The main issue is the definition of the implementation scope, i.e., the elements that are part of your Business Continuity Management System. With this information you will be able to focus on what is important and relevant to this business unit and how to handle the point where this BU interfaces with the rest of the organization. Other points are pretty much as if the whole organization is part of the scope:
- Getting top management support
- Elaborating documentation (the mandatory by the standard and those required by the business)
- Implementing, testing and reviewing plans
- Reviewing and Adjusting the BCMS
These articles and materials will provide you further information (the articles about scope focus on ISO 27001, but the concept is also applicable to ISO 22301):
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
- ISO 22301: An overview of the BCM implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
3. While in a BU, there will be different departments dealing with different services. So how and what involvement would there be for other BUs or organization departments, example, facilities, legal, etc?
Answer: This answer is unique for each organization, because this depends on the organization's internal structure, culture, and other factors. To take this into account, ISO 22301 has a requirement demanding organizations to perform a Business Impact Analysis (BIA), which will help them identify exactly the factors that can influence and/or prevent the delivery of the services involved in the BCMS.
For further information about (BIA), please read:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/
4. Are the different departments both BU and Organization level required to come out with its own BIA?
Answer: If process and services to be included in the business continuity process are quite different, then a better approach would be for each department to perform its own BIA, because this would be a less complex approach. On the other hand, if the process are similar, then performing a single BIA will be quicker.
The recommended material from the last answer will also be useful for this answer. -
Information Security Officer position
Answer:
ISO 27001 does not prescribe which roles or positions should be created, only that responsibilities and authorities must be defined and assigned, so organizations are free to define the model that best suits them. For small organizations, up to 50 employees, a good approach is to assign responsibilities and authorities for information security to the CEO or someone from top management. For bigger organizations a better approach is to create a specific role to be responsible for information security, because of the number of tasks and time required.
These articles will provide you further explanation about CISO (Chief Information Security Officer):
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CIS O) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/ -
Corrective actions and emergency preparedness
Answer:
ISO 14001:2015 does not include any requirement for the use of a formal corrective action process to handle any issues identified in an emergency preparedness drill. One thing is to recommend that practice as an improvement opportunity, another thing is to classify that finding as a non-conformity.
The following material will provide you information about emergency preparedness:
- ISO 14001 – 5 steps to set up an emergency plan according to ISO 14001 - https://advisera.com/14001academy/blog/2014/07/23/5-steps-set-emergency-plan-according-iso-14001/
- ISO 14001 emergency preparedness and response - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-emergency-preparedness-and-response/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Control, maintain or retain document information
Answer
ISO 9001:2015 classifies documented information in two types: documents do maintain and documents to retain. Documents to maintain are, for example, manuals, procedures, work instructions and forms. These documents can become obsoletes, can be change to newer versions, can be updated. When we fill a form it becomes a record and a record, like a photo, documents an event and cannot or should not be changed, cannot become obsolete. Documented information, whatever the type, should be controlled and clause 7.5 describes the requirements. Saying that a document should be retained or maintained is just a way of distinguishing procedures from records, different types of documents.
The following material will provide you information about documented information:
- Article – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Nonconformity or improvement opportunity?
ISO 14001-2015 : 6 Planning : 6.1 Actions to address risks and opportunities : 6.1.2 Environmental aspects
It was noticed there were no specific criteria being developed to determine significant aspects (Procedure EMS 6.1.2.1) when it impact with legal requirement. Single matrix evaluation considered for both legal and non-legal impacts. It is recommended to look for options to differentiate the two aspects and deals separately.
Answer:
As a consultant I would recommend considering the difference between environmental aspects linked to legal requirements when evaluating significance.
As an auditor I would also recommend the change as an improvement opportunity. As an auditor I would consider the situation as a non-conformity if I found any evidence of not considering any relevant legal requirement attached to an environmenta l aspect. Even if the organization has not included the difference in the evaluation procedure, perhaps in practice is doing it.
The following material will provide you information about an environmental management system:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
GDPR requirements for website sale
I have a couple of questions you may be able to help me with :
1. My business is selling exclusive perfumes via my website account. What are the minimum requirements for my website?
2. I use couriers to deliver the products. Are the couriers my processors?
3. Do I need to register to the data protection authority?
4. Can I insert advertising flyers or coupons in the packages?
Answers:
1. If you are selling products using your website this means that you will be collecting personal data form your customers in order to process and ship the order to them. You may also be collecting their email address either to confirm their order or even to send them advertising (provided they have consented). If you use cookies on your website there are also certain requirements as well. You can find readily available templates for Website Privacy Notice, Cookie Policy as well as Terms & Conditions in this EU GDPR Mini Toolkit for Websites (https://advisera.com/eugdpracademy/eu-gdpr-mini-toolkit-for-websites/).
2. Couriers usually ac t as independent data controllers and not processors.
3. This depends on the jurisdiction where your company is established. Certain Supervisory Authorities require controllers to register. So, my advice is to check your local Supervisory Authority website for more information.
4. You may insert advertisement flyers but only to the customers that had previously given their consent. If you want to find out more about consent and marketing check out this free webinar How GDPR affects marketing practices (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/). -
GDPR and the territorial scope
Answer:
Switzerland is not a country where the GDPR would be applicable by default however the GDPR has an extraterritorial component meaning that the EU GDPR is also applicable to entities established outside the EU if they offer goods or services to individuals in the Union, or if they monitor the behavior of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.).
This basically means that companies in Switzerland may be caught by the GDPR.
The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.
When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case, the processing does not take place “in the Union,” nor is the individual “in the Union”.
If you want to find out more about the extraterritorial reach of the EU GDPR check out our EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//) -
GDPR and marketing emails
Answer:
Based on your description you will be sending marketing emails to a potential client database. In this case, it is very important that whoever provides you the database can also be able to prove that the persons in the database have provided their consent to be approached for marketing reasons.
If you want to find out more about consent and marketing check out this webinar “How GDPR affects marketing practices” (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/) -
Subcontracting design and development
Just one more thing, with the 2015 version is it still necessary to have a quality manual?'
Answer
ISO 9001:2015 does not require a quality manual and does not forbid its use. I understand that your question is about an organization subcontracting design and development activities. An organization should evidence planning and control of subcontracted activities. You don’t have to detail your external service provider's design and development, you have to detail supplying or controlling design and development inputs, and at least control activities (at least verification and validation activities).
The following material will provide you information about quality manuals and design and development:
- Article – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -manual-in-iso-90012015/
- How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/