Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and other security frameworks
.07 Adequate data protection safeguard.Pursuant to §301.7216-3(b)(4), a tax return preparer located within the United States, including any territory or possession of the United States, may disclose a taxpayer’s SSN to a tax return preparer located outside of the United States or any territory or possession of the United States with the taxpayer’s consent only when both the tax return preparer located within the United States and the tax return preparer located outside of the United States maintain an adequate data protection safeguard at the time the taxpayer’s consent is obtained and when making the disclosure. An adequate data protection safeguard is a management-approved and implemented security program, policy, and practice that includes administrative, technical, and physical safeguards to protect tax return information from misuse, unauthorized access, or disclosure and that meets or conforms to one of the following privacy or data security frameworks:
(1) The United States Department of Commerce “safe harbor” framework for data protection (or a successor program); (2) A foreign law data protection safeguard that includes a security component (e.g., the European Commission’s Directive on Data Protection); (3) A framework that complies with the requirements of a financial or similar industry-specific standard that is generally accepted as best practices for technology and security related to that industry (e.g., the BITS, Financial Services Roundtable, Financial Institution Shared Assessment Program); (4) The requirements of the AICPA/CICA Privacy Framework; (5) The requirements of the most recent version of IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities; or
(6) Any other data security framework that provides the same level of privacy protection as
Answer: ISO 27001 is a general framework for managing information security, with a set of controls that can be applied accordingly to an organization context and requirements, while the frameworks you mentioned are specific to defined situations, so you can consider that these frameworks can be implemented operated, managed and improved with the help of ISO 27001, but 27001 is not an equivalent to any of these frameworks (it can only help manage them, but cannot replace them).
This article will provide you further explanation about ISO 27001:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
The EU GDPR toolkit structure
What I miss in the forms bundle perhaps are more marketing related: Coockie consent, policy samples with different data retention (it seems cloud services will offer different plans for retaining data, as example Google Analytics https://support.google.com/analytics/answer/7667196?hl=en ) and perhaps some samples for give aways or prize games. In short: marketing forms for web portals. Perhaps as additional charge.
E-news consent goes well to the genera consent form, but other services are more unpredictable, because they include a lot of different cloud services.
Answer:
Regarding the structure of the EU GDPR Implementation Toolkit the documents within are meant to be cross industry and are not tailor made for digital marketing companies any particular industry. However, regarding the cookie consent this is no different from regular consent (which you can find in folder 4 or our EU GDPR Documentation Toolkit) is just a matter of adapting the wording a little bit. As for the data retention, there is a Data retention Policy and a Retention Schedule in folder 2 of the EU DGDPR Documentation Toolkit.
If you want to receive dedicated privacy services you can contact directly one of our privacy consultants and schedule a meeting to discuss further with them your needs. You can schedule a meeting here: https://advisera.com/eugdpracademy/free-consultation/ -
Definition of personal data
The answer is not simple, just a name and e-mail address is not in itself personally identifiable information. A posteo.de account can be set up in a fairly anonymous manner and if I am careful you can't use it to find me or my other persona. Collecting more information or correlating information to trace back to an individual (like birthdate or bank details) turns the data set into personally identifiable information.
Selling or sharing the data to someone who can use big data to profile individuals would be a problem under GDPR unless you clearly told people that is what you are doing with the data before they grant you access.
Certain privacy nerds have always held information carefully, e.g. if I don't trust you then you get a spam mail address tha is used for no one but you. I have roughly 15 myself and only use 3 for outgoing mail.
#MaytheFourthbewithyou -
Conditions for consent
Answer:
As regards to consent the EU GDPR in its Article 7 “Conditions for consent” https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/) mentions that the consent should be presented in written to the data subject. This does not mean that the consent means to be a written paper form. You can choose to collect the consent on your web page by asking the data subject to perform an action that such as ticking a box, this would serve to prove that without any doubt that the data subject agreed to the processing activity. The consent must cons ist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted.
When getting the consent using an online environment you need to reasonably prove that the consent came from the respective data subject this you need to be able to identify the data subject and log (record) his/her affirmative actions on your website.
You can find out more about consent form our webinar “How to handle consents under GDPR” https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/ -
The employees data
Answer:
In the case you are describing it seems you are a data controller as regards to the data of the employees of your customers. So basically, you are finding yourself in the situation described in EU GDPR article 14 – “Information to be provided where personal data have not been obtained from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/
In this case my opinion is that you need to provide the individual with a privacy notice informing them about who are you and what are you doing with their data.
On the other hand since the employer would be the one sending the personal data to you they will also need at their end to provide a privacy notice of their own stating among others that they will be sharing data with third parties such as yourself.
To find out more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Change Request Policy
Answer:
The policy you are referring to is not directly linked to the EU GDPR requirements, thus, such document is not among the documents in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
However, such document is closely linked to ISO 27001 and it can be found under the title “Change Management Policy” in our EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/ -
Privacy Notice
2. Provides an outline of governance for a Representative (Art 27), Provides the outline of governance for a DPO. (Art 37-39)
Answers:
1. I think what you are looking for is the Privacy Notice that needs to be delivered to the data subjects when the data is not obtained form him/her. This is a requirements of EU GDPR article 14 “information to be provided where personal data have not been obtained from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/
This can be achieved by using the “General Data Protection Notice” in folder 2 and adding another mention regarding the source where the personal data has obtained from.
2. The EU GDPR in article 27 “Representatives of controllers or processors not established in the Union” https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ requires that under certain circumstances controllers need to appoint a representative in the EU. The administrative appointment itself is subject to local jurisdiction of the place where the representative would be appointed so this is why there is no such template in the toolkit. However, references to the representative can be found in the General Data Protection Policy in folder 2 of our EU GDPR toolkit.
As regards to the DPO you can find a Data Protection Office task description in folder 2 of the EU GDPR implementation toolkit. You can also learn more about the duties of a DPO from our article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/ -
Asset inventory
Answer: The assets to be included in your asset inventory must be related to all processes included in your ISMS scope, so even if you have a single d epartment responsible for physical and environmental security, you have to consider all rooms from all other processes that are included in your ISMS scope.
This article will provide you further explanation about asset inventory:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding asset inventory:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Template content
so I can update that document accordingly as we got a NC for this during an audit?
Answer: Control A.18.2.3 (Technical compliance review) requires regular review of organization's compliance with information security policies and standards, so this control can be covered by the Internal Audit procedure template. You should also consider review the documents from the toolkit that you implemented that regulate technology issues (e.g., Policy on the Use of Cryptographic Controls), because responsibilities defined on them may cover some degree of compliance review.
It is important to note that there is no need to create a new document to cover this control, rather it is much better if you cover this control with existing documents from the toolkit. -
7.1.6 Conocimientos de la organización
El conocimiento de la organización se refiere a los conocimientos necesarios de los empleados de la organización en relación al funcionamiento de sus procesos así como para alcanzar la conformidad de sus productos y/o servicios.
La norma no requiere documentarlo, sin embargo, se recomienda que se determine cómo mantener actualizado el conocimiento y el alcance del mismo.
Para más información, estos materiales pueden serle de utilidad:
Estos materiales pueden ser de utilidad:
- Artículo “Cómo gestionar el conocimiento de la organización según la ISO 9001” (disponible en inglés): https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- Libro “Preparación para la audi toria de certificación: una guía en un lenguaje sencillo”: https://advisera.com/books/preparacion-para-la-auditoria-de-certificacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso Fundamentos de la ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/