Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
What is clause 9 about?
Answer:
Clause 9 is not about monitoring and measuring of gages and calibration. Clause 9 is more about process and management system performance. Quality control is included in clauses 8.4 and 8.6. Calibration in included in clause 7.1.5.
The following material will provide you information about monitoring and measurement:
- ISO 9001 – Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
- Analysis of measuring and monitoring requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/
- Practical tips for measuring your QMS according to ISO 9001:2015 clause 9.1 - https://advisera.com/9001academy/blog/2017/08/29/practical-tips-for-measuring-your-qms-according-to-iso-90012015-clause-9-1/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
“Refer a Friend” program
Yes, there is only one kind of consent. However, depending to what are you referring your friend to legitimate interest may work as well. -
DPO ROLE
Answer:
There is no DPO manual available to explain what is the DPO supposed to do under different scenarios. It does not work like this. The DPO role is a complex one and it does not come with a “user manual”.
Usually in case of a data breach the DPO would be the one in charge of the following:
- establishing the severity of the data breach;
- drafting the data breach notification to the SAs or data subjects;
- act as a contact person for the SAs and data subjects concerned;
- inform the management of the company about the data breach and its consequences for the rights and freedoms of the affected data subjects
To learn more about the DPO role check out our webinar “Role of the DPO according to EU GDPR” https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/ -
Becoming GDPR compliant
2. Also, I would like to know: if we weren't GDPR compliant before, does this mean we have to contact all of our databases to reacquire their consent all over again in the new GDPR way?
3. Our website asks ppl to sign up to receive emails - so we collect email and their name - if they want they can sign up via Facebook or telegram messenger too but it's primarily email and name. Do these 2 things count as 'personal information'?
4. What does 'personal information' include?and I'm so sorry but one last final question to add to the previous one: if you have an ebook or some other kind of material available on the website but we ask that you register with your email address in order to continue reading, does this still constitute 'consent given freely'?
Answers:
1. With some minor exceptions the rules regarding the EU GDPR apply to all companies regardless of their size. The most important is the exemption from keeping records of processing activities pursuant to article 30 - “Records of processing activities” (https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/). This document is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offences.
2. Where consent has been given under the Data Protection Directive, it will continue to be valid under the EU GDPR if it also meets the requirements of the Regulation.
This may be difficult given the new and stringent requirements for consent. In theory, some businesses should therefore consider approaching their existing customers or employees to obtain a fresh consent that is valid under the Regulation.
3. Name and email address constitute personal data.
4. The EU GDPR define personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Examples of personal data include: name, surname, email address, physical address, IP address, internet identifiers, bank account data, images, etc.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Is consent needed?
2. If the patients record has 3rd party data in it, for example a midwifes notes, this data is not owned by the GP, but could be relevant to the SAR, under GDPR is consent needed by the 3rd party to release the data?
Answers:
1. The consent is not needed if the third party which asks for the information acts to preserve public interest or the vital interest of the data subject. I don`t think that using the data in conferences qualifies. However, if the data is anonymized so it cannot be traced back to a patient then consent is not needed.
2. The data in the SAR need to be date which concerns the patient, if the midwifes notes are related to that patient the information must be provided. -
GDPR/Terms and conditions
There are 2 issues:
1. Should we be GDPR compliant for users who have registered account with us and are not EU citizens ?
2. Should we be GDPR compliant for users who have registered account with us and are not EU citizens and don't serve EU clients?
Answer:
The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.
When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”. -
DPIA policy
2. And the other one, I was pretty sure that the company might be data controller and data processor, but more I`m reading about GDPR, I'm starting to think that we can be only one of them?
Answers:
1. A DPIA is an assessment of the impact of envisaged data processing operations on the protection of personal data, and more particularly an assessment of the likelihood and severity of risks for the rights and freedoms of individuals resulting from a processing operation. Under the GDPR, controllers will be required to undertake DPIAs prior to data processing - in particular processing using new technologies - which is likely to result in a high risk for the rights and freedoms of individuals (Article 35).
The GDPR provides the following non-exhaustive list of cases in which DPIAs must be carried out:
· automated processing for purposes of profiling and similar activities intended to evaluate personal aspects of data subjects;
· processing on a large scale of special categories of data or of data relating to criminal convictions and offences;
· systematic monitoring of a publicly accessible area on a large scale.
To find out more about DPIAs check out our webinar “Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDP” (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/).
2. You can't be a processor and a controller at the same time for the same processing activities. However you can be a controller for certain activities for example HR management of your own employees and a processor for the personal data entrusted to you by other data controllers.
To find out more about controllers and processors check out our article “EU GDPR controller vs. processor – What are the differences?” (https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/). -
Template content
Provided template consist only requirements of deploying any sort of anvivirus software with auto-updates ON, but in our case it isn't enough.
The reason i ask for assistance is that we provide SMB SaaS with access for customers to terminal servers with this software installed on it, and this software has the functionality to modify clientside source code for customization needs. We dont surely know how we shall consider this threat: as a potential to execute any malware or just as a technical vulnerability (so shall refer to A.12.6).
Can you help us to complete understanding?
Answer: There is no extended template, but as a part of the toolkit you bought you can schedule a meeting with one of our experts so he can help you develop the extensions you need. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
Considering the information you provided, the po ssibility to modify client's side source code should be treated as a technical vulnerability, because this feature is part of how the antivirus software works to protect the assets, but may have a negative impact that must be assessed first before releasing the software on operational environment, which can be handled by controls from section A.12.6. -
ISMS scope template
With the organisational user sec 3.2 do we have to list every type of unit I.E computer monitors .Key boards , Lap tops , Mouse etc etc. Also I really don’t get the how they are from units that are not in scope ? If we have a desk that is not in scope and a laptop that is on that desk that is in scope how would I document that ?
3.1 Processes and Services
Is this enough detail ? Below
Processes and services
Existing services - Pentesec will continue to deliver its services within a secure environment.
Development-Pentesec will conduct annual risk assessments to ensure that risk to information in the care of is minimalized or eliminated
Incidents – Pentesec will ensure that all systems are protected and resilient from breach by keeping firewall software and licences up to date with the latest patches to prevent entry of any malware.
Organizational units
Laptops, Docking Stations Keyboards and how they are separated from the organizational units that are not included in t he scope]
Answer: In section 3.1 you should detail the "existing services" to the services currently running (e.g., software development services, printing services, etc.).
For section 3.2 (Organizational Units) you should list the business areas included in the scope (HR department, IT department, R&D department, etc.), not the assets. As ways they are separated from units not in the scope you can mentions walls, doors, separated buildings, etc.
Included in the template there are comments with examples of how you can fill the templates. Additionally, you have access to a video tutorial that can help you fill the ISMS scope template. -
Roles y responsabilidades
Respuesta:
En cuanto a la pregunta sobre cómo puede la alta gerencia valorar ISO 9001 y, por lo tanto, obtener su compromiso en el proyecto, puede organizar una reunión con la alta dirección para presentar los beneficios y los mitos de ISO 9001: 2015 y cómo son relevantes para su empresa.
En este artículo puede encontrar algunas técnicas para convencer a su alta dirección - 4 técnicas cruciales para convencer a su alta dirección sobre la implementación de ISO 9001: https://advisera.com/9001academy/blog/2017/12/05/4-crucial-techniques-to-convince-your-top-management-about-iso-9001-implementation/#
Puede utilizar esta propuesta de proyecto gratuita para la implementación de la norma ISO 9001 para ayudarle a convencer a la alta dirección de que implemente ISO 9001: https://info.advisera.com/9001academy/free-download/project-proposal-for-iso-9001-implementation-ms-powerpoint
También puede leer este documento que explica cómo la implementación de la norma ISO 9001 puede ayudar a que su empresa crezca y tenga un mejor rendimiento - ¿Cómo puede la norma ISO 9001 ayudar a su empresa a crecer ?: https://info.advisera.com/9001academy/free-download/how-can-iso-9001-help-your-business-grow
Para el compromiso de los empleados, puede organizar una sesión de sensibilización con ellos presentando los mitos y los beneficios de la norma ISO 9001: 2015, así como la importancia de su papel en la implementación. Para ello, puede utilizar este documento técnico gratuito: por qué ISO 9001: 2015 - Presentación para la concienciación: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation
Puede encontrar información sobre el enfoque de procesos en este artículo - ISO 9001: la importancia del enfoque de procesos: https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/#
Para la definición de indicadores, puede leer este artículo - definir indicadores clave de desempeño para un QMS basado en ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/