Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Design of processes - applicability
I have one doubt about the exclusion of clause 8.3 Design and development.
In my opinion, nobody can exclude this clause because design and development mean not only design of the product but also the design of the process and the processes are particular for each organization and has to be completed by each organization!”
Answer:
Thank you for your kind words, glad you appreciated!
During the webinar, because time is short, I develop this figure:
During offline training, I develop this one because I have more time:
The green company is a real case that I audited some years ago. They had no own brand, they did not design the products, but they were picked by customers because they were very good at developing finishing processes that made products stand out as different.
Back to your question, imagine that you buy a plastics injection machine, you receive a mold from the client , you buy the raw-materials and start to manufacture plastic parts for the client. There is no real process design or product design. Most of the time organizations truly do not design processes and auditors do not expect them to do it. So, in your shoes I would think openly: do this organization stands out for anything they do differently with their processes? If yes, clause 8.3 is applicable. If not, you can consider clause 8.3 not applicable and justify it.
The following material will provide you with more information about applicable clauses:
- ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Box Plot in ISO 14001
Answer:
Since the box plot is a process analysis tool and probably one of the most useful and simplest forms of summarizing data it can be used for measuring and monitoring results. The tool can be used alone or complementing an histogram since it shows several simultaneous comparisons.
To learn more about monitoring and measurement you can see these materials:
- Article - How to measure the effectiveness of your EMA according to ISO 14001:2015: https://advisera.com/14001academy/blog/2016/09/05/how-to-measure-the-effectiveness-of-your-ems-according-to-iso140012015/
- Book - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/ -
EU GDPR and its reach
Answer: I think you mean DPA (Data Protection Agreement/Addendum) and not DPIA (Data Protection Impact Assessment) and the answer is no.
2. Does the GDPR supersede with the national "Data Protection Policy" since the company is dealing with individuals in EU?
Answer: If the GDPR is applicable to your company, then you should comply with its requirements at least for the processing activities that are touched by the GDPR. For example, if you also have clusters that are not in the Union, then the processing activities related to them should not necessarily be compliant.
3. If a company has a foundation policy for children, does the responsible party/parent need to give written consent?
Answer: In the case of minors, consent should be obtained from their parents or legal guardians.
If you want out to find out more about the EU GDPR, check out our free EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Using Data Processors
Answer:
No, you don't need a separate lawful ground to use data processors. You just need to inform the data subject using appropriate privacy notices about the fact that their personal data will be shared with third parties that would act as your data processors. The data subject may object in theory but in this case you can cease to provide the service to the data subject if the service is dependent on a third party processor.
If you want to find out more about data subject rights, check out our free webinar: Data Subject Rights under the EU GDPR (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Do US companies need to comply with EU GDPR?
Answer:
To put it bluntly, the answer is yes. You need to be compliant in terms of the processing activities related to your employees in the EU as they are in the EU and for which you are acting as a data controller.
If you want to find out more about the extraterritorial reach of the EU GDPR, check out this free EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Responsibilities in ISMS implementation
We've received additional question:
>Only development procedure is assigned to me, I should take care about development part. What are the documents are required for this. How do I implement & represent only technical development team?
Answer: If I understood correctly, you are not the project manager responsible for the ISMS implementation, but responsible only for the part regarding the development team.
Considering that, and the previous answer, after performing the risk assessment of your development process, you most probably should consider these documents:
- Secure Development Policy - https://advisera.com/27001academy/documentation/secure-development-policy/
- Specification of Information System Requirement - https://advisera.com/27001academy/documentation/specification-of-information-system-requirements/
The links will show you how these documents look like.
These documents cover how do you ensure development is performed in a secure way and the evidences you need to show to the auditor, considering ISO 27001 requirements.
This article will provide you add itional information:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/ -
Joint Data Controllers
Answer:
Usually, recruitment companies position themselves as independent controllers, as they will be processing the data of the candidates further even after the specific position was filled. Joint controllership relations are quite rare and, if possible, should be avoided because of the shared responsibilities in case of GDPR breaches. -
Data Protection Officer
Answer:
It is mandatory to appoint a DPO under the following circumstances:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or
(b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR.
If you want to find out more about the tasks of a DPO, check out our free webinar: Role of the DPO according to EU GDPR (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/). -
Retention Period under GDPR
Answer:
Indeed retention periods are quite tricky and quite country specific. There are so-called legal retention periods such as the ones you find in various pieces of regulations such as Tax Codes, Labor Laws etc. These can be found in your local legislation so is up to you and your lawyers/legal counsels to look them up. There is also personal data that is not regulated in terms of retention periods and in this case the regulators are right, it is up to you do decide and to establish reasonable retention periods considering the processing activity, the types and categories of personal data, as well as other factors such as statute of limitations periods or contractual obligations.
2. To clarify re Retention Periods - If a client comes back for further service after say 5 or more years, is it fair to say I should have their personal information, order/servic e history etc. available in our system or should it be gone by then?
Answer:
You are only bound to keep the data which is required by law or by a contract with the owner of the data. After 5 years you may only be keeping invoices or documents related to the issuing of those invoices. -
The scope of DPO's tasks
Answer:
I would say you are interpreting this wrong. The phrase “seek advice” does not mean the same thing as "to perform the DPIA". The DPO's job is to design the DPIA process and the DPIA documents, and the business owner should be the one filling it in with the assistance of the DPO. Imagine that if it was up to the DPO to fill in all the documentation - this would mean that the DPO should be a n expert in IT, HR, Operations, Security, Health& Safety etc. The only area of the DPIA where the DPO is in charge is evaluating the identified risks and propose of the mitigation measures.
If you want to find out more about the duties of a DPO, check out our free webinar: Role of the DPO according to EU GDPR (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).