2. What do you mean by “substantially affects” in alternative b) I can’t really see that there is a requirement that our head office located din Norway would need to have a cross border agreement to process data for our employees located on branch offices within EU such as UK, Netherlands, Sweden.
Answer:
1. If you are transferring personal data to a third party located outside the EEA than this is consistent with a cross border data transfer and certain safeguards such as Standard Contractual Clauses (SSC) need to be in place in order for the transfer to be consistent with the EU GD PR requirements.
2. As mentioned above transfers to countries which are within the EEA is not considered a cross border transfers thus, there is no need for the SSCs or other safeguards.
Assessing data breaches
I'm trying to figure out what this means - when we should or shouldn't notify customers.
The sort of data we typically have is:
- IP address
- Full name
- Email
- Home address
- Work address & name of work (sometimes)
- Purchase history (we sell clothes)
- Other less interesting things such as what pages have been visited, which marketing emails have been opened, etc.
Based on my limited understanding, the most sensitive information we have is a customers's size data. If we leaked, say, 100,000 records it may directly or indirectly contain information on someone's size. Can you help clarify this?
Answer: I think you will find an answer to this if you read our “Assessing the severity of personal data breaches according to GDPR” (https://info.advis era.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr). This document will provide you with a simple “out of the box” methodology to asses your data breaches.
Procedures development
Answer: To define which documents you need to develop and how to make them useful, you should consider issues such as:
- regulation or contractual requirements that demands a certain document
- the organization size and the number of people involved
- the importance and complexity of the process or activity
Answer: Many of our clients are companies that provide SaaS and are using large hosting providers like AWS, Azure and similar - so yes, this toolkit is applicable for such companies, especially if they are small or medium-sized (up to 500 employees).
Answer:
I would say that neither Incident/Problem/Change Management is fully implemented without Configuration Management (Service Asset and Configuration Management in ITIL). That means that mentioned processes are depending on information from Configuration Management.
Following articles provide more details:
2. Data processor agreement – Our client requested us to sign a Data Processing Agreement, which defines our client as data controller and us as the data processor. However, under certain situation, in delivering the service to clients, we play the data controller role and our client is the data processor. Does this means we need another Data Processing Agreement for these exchanged roles?
Answer:
1. I strongly advise you to define a maximum retention policy for candidates CV considering that anyway the data in the CV would be most likely outdated in a few years.
2. Not necessarily. When you are acting as an independent controller it is not necessary to have a DPA with another controller.
Answer: Indeed, this is one reason and the other is that in order to fulfill all of its obligations as regards to the EU GDPR any company needs to get the support from the top management. Thus, the top management needs to be informed and it also needs to endorse the compliance effort together with the Personal Data Protection Policy as well.
In the case of policies and procedures you won´t need much effort since our templates are already written and they are fully editable, you just need to enter the specific information about your company. Although the forms are not pre-filled, so you will need to input all the information.
Also, it is important to highlight that our documentation not only deals with all the technicalities but also guides you on what to fill out with several comments.
We do not have any detailed procedure for a Lessons Learnt Program. Your organization monitors performance, identifies improvement opportunities, develops improvement projects and after evaluating their effectiveness, intends to capture the know-how acquired.
A procedure for a Lessons Learnt Program should define how that know-how is acquired and transmitted to others in the organization.
Flujogramas en los procedimientos
Mi respuesta:
No es necesario¡realizar flujogramas para los procedimientos. Tenga en cuenta que en esta nueva versión de la norma, ISO 9001: 2015, no es obligatorio escribir ningún procedimiento, por lo que puede optar por tener un procedimiento o no, y también cómo será el mismo. Sin embargo, la creación de flujogramas puede ayudar a una organización a explicar mejor un proceso, comunicarse e incluso a mejorar ese proceso.
Para obtener más información sobre la documentación de ISO 9001: 2015, consulte estos artículos: