Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Few GDPR queries
2. Could you clarify the confidential level, what should we write and why?
3. About the Cross-border Transfer of Personal Data. The current legislation GDPR EU 2016/679 says about the free movement of data, so why we need Data Transfer Agreement and with whom? And why we should to obtain the authorization from Supervisory Authority? ( it was before 25 may 2018, the Transfer was with license).
4. So we need only Processor Data Processing Agreement, please approve...
5. Question from 8.1.3 Section: If we are Controller and provide service for Non-EU companies with our nominee EU persons, what we are doing in this case? My opinion, we have EU local Supervisory Authority and we have Processor Agreement with all our suppliers, is it enough lawful or correct...
Answers:
1. Data Protection Policy is usually an internal document but there are companies that chose to publish the document on their website in order to be more tran sparent in front of their clients.
2. Usually companies classify their internal documents based on their importance to the company. Personal data should at least be considered as “Confidential” so it can only be handled by specific personnel that needs to process the data to fulfill their duties. For more information about “Information classification” you can check out our free article https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
3. A Data Transfer Agreement (DTA)is a contract between the providing and recipient organizations that governs the legal obligations and restrictions, as well as compliance with applicable laws and regulations, related to the transfer of such data between the parties. When you are transferring personal data outside the EEA, in addition to the DTA you must use appropriate safeguards in the absence of an adequacy decision. Appropriate safeguards are intended to provide enforcement and effective rights to individuals. All require prior approval from a supervisory authority. According to GDPR the appropriate safeguards are: Binding corporate rules, Standard Contractual Clauses, Approved codes of conduct or certification mechanisms, Ad hoc contractual clauses and Reliance on international agreements. Among the most used appropriate safeguards are Standard Contractual Clauses.
The document “Standard contractual clauses for the transfer to Processors ” is to be used when transferring personal data to countries outside the EEA the same information can be found in the “Cross border data transfer procedure” (Cross Border Data Transfer (CBDT) - Transfer of personal data by controllers established in the European Union (EU) to recipients established outside the territory of the EU/EEA who act either as controllers or as processors.). To learn more about cross border data transfer please check out our free webinar on “How to make personal data transfers to other countries compliant with GDPR “ https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
4. If you are transferring data to a processor (supplier) which is located in the EU you need to use document 07.2 Supplier data processing agreement that can be found in folder 7 “Third party compliance” in the EU GDPR Documentation Toolkit.
5. I am not sure I understand very well the question. Please rephrase it and please provide more details of what data you are processing in order to provide services to your non – EU clients. Please define “nominee EU Persons”.
To learn more about GDPR implementation please check out our free article “9 steps for implementing GDPR” https://advisera.com/articles/9-steps-for-implementing-gdpr/ -
New Website GDPR policy statement
Answer:
The document you are looking for is called a “Privacy Notice” and is regulated by EU GDPR art. 13 - Information to be provided where personal data are collected from the data subject (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) and a template can be found in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/documentation/privacy-notice/).
To find more about privacy n otices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Privacy & GDPR
Answer:
What you are looking for is the Privacy Notice where you inform the website visitors/clients about the data you collect when they access/register on the website and you can use the template Privacy Notice in the toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
To find more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Meaning of context determination
Answer:
Any organization is an open system interacting with the outside world. So, an organization’s approach to its products, services and priorities is affected by the interested parties (and its needs and expectations), and external issues (like political, economic, social, technologic, environmental and legislation), and internal issues (like performance, strategic orientation, history, …). Determining context of the organization is a way of listing all those issues.
The following material will provide you information about the context determination:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- Procedure for Determining Context of the Organization and Interested Parties - https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Considering the lifecycle aspect
I am trying to consider the lifecycle aspect but do not really know where to start. I would appreciate any help in this”
Answer:
I would think of your service as a process with its own lifecycle:
You purchase consumables – do you have environmental considerations when deciding to whom to buy?
Your welders have to move to customers locations – do you any environmental considerations about that transport?
Your welders perform their work and generate some kind of waste - do you any environmental considerations about how to perform and how to handle wastes?
The following material will provide you information about considering lifecycle aspects:
- ISO 14001 – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
- How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Exemplar Global accreditation
Answer: Exemplar Global certified our ISO 27001 exams according ISO 17024. For more information see this link: https://exemplarglobal.org/who-we-are/our-accreditations-and-associations/ -
Template content
Answer: Business continuity management is a set of practices to ensure the continuity of business operations in case of disasters or disruptive events that impact the organization. The main ISO standard for business management is ISO 22301.
Regarding ISO 27001 implementation, everything you need to comply with section A.17 from ISO 27001 Annex A (Information security aspects of business continuity management) is already included in the toolkit you bought. You can find them on folder 08 Annex A A.17 Business Continuity
These articles will provide you further explanation about ISO 22301, business continuity, and its applicability on ISO 27001 implementation:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2 015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
This material will also help you regarding business continuity:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Compliance exercise
Answer:
From your description it seems like your processing activities are only concerning individuals in Pakistan and thus not subject to the EU GDPR. Another thing is that if you are targeting only enterprises this means the exposure to personal data could be quite limited.
Thus, I fail to understand why would you want to become compliant with the piece of legislation which is not applicable to you. However, it you are interested in some advice you can check out our article “9 steps for implementing GDPR” https://advisera.com/articles/9-steps-for-implementing-gdpr/ -
Scope definition
This has been discussed during our Management meeting and our main trigger is sales related. Most of our customers and prospects strongly request ISO27001 certification, especially since 1 year.
One thing we are all convinced is that we would like to attain this, but we still have open points about scope. The main reason is that we are part of a multinational environment and a lot is changing currently. Our IT has centralized since last year. So no local impact on decisions.
And our backoffice activities will now also get more centralized. From an ISO certification point of view we see a lot of (possible) impact.
So maybe you could assist me already with 1 important question. Do we need to go for an ISO27001 certification for the entire organization ?
Or would a certification for a specific part be enough. For example. We mainly require this in environments where we deliver the IT ser vices.
Would it be possible to get a short reply about pro’s and con’s ? Or maybe a reason not to do this for only a part of the organization ?
I’m responsible for 2 countries. 1 has already ISO9001, the other doesn’t.
Answer: ISO 27001 does not require the entire organization to be in the scope for the certification, so you can define the scope that will better suit your organization needs.
For small and mid-size organizations (up to 500 employees) often it is better to include all the organization in the scope, because the effort to keep only part of the organization in the scope is not worthy. For bigger organizations defining a smaller scope may be better to reduce the costs and effort to what really matters for business objectives.
If your organization is smaller than 50 employees you should go for the whole scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding scope definition:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Control of documents
My question is relating to the structure of the documentation, I'm writing the documentation on XXXX and it's going to be (initially) located in a XXXXX.
I want to make the structure as easy to ready/use as possible, so thinking of having sub-folders for the likes of Employee procedures, Data-protection policies, and then the ISMS.
However, some documentation which would be intended for Employee use (e.g. Computer Acceptable Use Policy) would also form a policy under the ISMS for ISO27001. The same applies for Data Protection Policies (such as Data Portability procedures) - this would be covered in the ISMS and Data Security, so I'm uncertain where to locate it.
I guess to cut a long story short, everything I've seen seems to suggest placing all procedures and policies in the ISMS folder but logically to me that would n't work.
Can you offer any advise?
Answer: ISO 27001 does not prescribe how you must organize your documents, so you can place them the way it will be more useful and easier to understand by your employees.
My suggestion to you is to keep in the ISMS folder only the high level policies and procedures (e.g., information security policy, document control procedures, internal audit procedure, etc.), and keep specific policies and procedures in the folders most related to them (e.g., the backup policy could be kept on the folder that contain the IT staff documentation).
These articles will provide you further explanation about document control:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/