Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR Application in Case of EU Nationals Living Outside UAE
Answer:
My guess is that the EU GDPR is not applicable in your case since you are not offering goods or services to individuals in the EU.
The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.
When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not cons idered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Transferring personal data
2. What do you mean by “substantially affects” in alternative b) I can’t really see that there is a requirement that our head office located din Norway would need to have a cross border agreement to process data for our employees located on branch offices within EU such as UK, Netherlands, Sweden.
Answer:
1. If you are transferring personal data to a third party located outside the EEA than this is consistent with a cross border data transfer and certain safeguards such as Standard Contractual Clauses (SSC) need to be in place in order for the transfer to be consistent with the EU GD PR requirements.
2. As mentioned above transfers to countries which are within the EEA is not considered a cross border transfers thus, there is no need for the SSCs or other safeguards. -
Assessing data breaches
I'm trying to figure out what this means - when we should or shouldn't notify customers.
The sort of data we typically have is:
- IP address
- Full name
- Email
- Home address
- Work address & name of work (sometimes)
- Purchase history (we sell clothes)
- Other less interesting things such as what pages have been visited, which marketing emails have been opened, etc.
Based on my limited understanding, the most sensitive information we have is a customers's size data. If we leaked, say, 100,000 records it may directly or indirectly contain information on someone's size. Can you help clarify this?
Answer: I think you will find an answer to this if you read our “Assessing the severity of personal data breaches according to GDPR” (https://info.advis era.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr). This document will provide you with a simple “out of the box” methodology to asses your data breaches. -
Procedures development
Answer: To define which documents you need to develop and how to make them useful, you should consider issues such as:
- regulation or contractual requirements that demands a certain document
- the organization size and the number of people involved
- the importance and complexity of the process or activity
This article will provide you further explanation about documentation development:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
These materials will also help you regarding documentation development:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managi ng-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 toolkit for SaaS companies
Answer: Many of our clients are companies that provide SaaS and are using large hosting providers like AWS, Azure and similar - so yes, this toolkit is applicable for such companies, especially if they are small or medium-sized (up to 500 employees).
Here's a very useful article on defining the ISMS scope when using hosting services: Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/ -
Configuration Management and other processes
Answer:
I would say that neither Incident/Problem/Change Management is fully implemented without Configuration Management (Service Asset and Configuration Management in ITIL). That means that mentioned processes are depending on information from Configuration Management.
Following articles provide more details:
Knowing your herd – Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/
Answers to 5 FAQs about the ITIL Service Asset and Configuration Management process https://advisera.com/20000academy/blog/2016/03/29/answers-to-5-faqs-about-the-itil-service-asset-and-configuration-management-process/
Also, there is recorded webinar that can help you:
The basic elements of ITIL Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/webinar/the-basic-elements-of-itil-service-asset-and-configuration-management-sacm-free-webinar-on-demand/ -
Retention period and Data processor agreement
2. Data processor agreement – Our client requested us to sign a Data Processing Agreement, which defines our client as data controller and us as the data processor. However, under certain situation, in delivering the service to clients, we play the data controller role and our client is the data processor. Does this means we need another Data Processing Agreement for these exchanged roles?
Answer:
1. I strongly advise you to define a maximum retention policy for candidates CV considering that anyway the data in the CV would be most likely outdated in a few years.
2. Not necessarily. When you are acting as an independent controller it is not necessary to have a DPA with another controller.
To learn more about the EU GDPR check out our “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Personal Data Protection Policy
Answer: Indeed, this is one reason and the other is that in order to fulfill all of its obligations as regards to the EU GDPR any company needs to get the support from the top management. Thus, the top management needs to be informed and it also needs to endorse the compliance effort together with the Personal Data Protection Policy as well.
To learn more about the Personal Data Protection Policy check out our article “Contents of the Data Protection Policy according to GDPR” (https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/). -
Filling out ISO 14001 templates
Answer:
In the case of policies and procedures you won´t need much effort since our templates are already written and they are fully editable, you just need to enter the specific information about your company. Although the forms are not pre-filled, so you will need to input all the information.
Also, it is important to highlight that our documentation not only deals with all the technicalities but also guides you on what to fill out with several comments.
You can click a "Download a Free Toolkit Demo" button to download a toolkit preview or you can click the preview of each document in the section "Toolkit Documents" here : https://advisera.com/14001academy/iso-14001-documentation-toolkit/ -
Lessons Learnt Program
Answer:
We do not have any detailed procedure for a Lessons Learnt Program. Your organization monitors performance, identifies improvement opportunities, develops improvement projects and after evaluating their effectiveness, intends to capture the know-how acquired.
A procedure for a Lessons Learnt Program should define how that know-how is acquired and transmitted to others in the organization.