Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Rationalizing RPO


    Answer: Basically the RPO means a volume of data stored/processed in a time frame before the occurrence of a disruption that the organization accepts to lose. For example, if you have a RPO of 4 hours, it means the organization accepts to lose stored/processed data in the last 4 hours before the disruptive incident.

    Since the variables to evaluate such loss will depend of the business process evaluated, there is no general formula to apply (e.g., for a sales website the number of transactions lost can be a parameter, and for a cloud storage service the volume of data lost can be the parameter). The way to rationalize RPO is by assessing the damage for different amount of data loss - then they will be able to recognize what is acceptable and what is not. 

    This article will provide you further exp lanation about RTO and RPO:
    - What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

  • Right to Be Forgotten/Erasure


    Answer:

    The right to be forgotten does not apply when the processing is:

    - necessary for rights of freedom of expression or information;
    - for compliance with a legal obligation under Union or Member State law;
    - in the public interest or carried out by an official authority;
    - for public interest in the area of public health;
    - for archiving or research; or
    - for legal claims.

    So, as you can see setting up a conventional retention period does not give you the right to object to a “erasure” (right to be forgotten request).

  • DPO Training

    We can keep personal data of clients once they are no longer our customers.
    (1)True
    (2) False
    The answer as posted on your website is #2. I disagree with this answer. Please help me understand why I am wrong. Here is an example.
    I use a provider of electricity. I then cancel my service with this provider and switch to another. I can still log into the first electricity service provider's website and review my historic bills and they have an account profile on me. This is a legitimate purpose for keeping my personal data even though I am no longer their customer. The same applies for banks, credit cards, etc. Why is the answer false to your question?

    Answer:

    Article 5.1.(e) of the EU GDPR - “Principles relating to processing of personal data” https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/ states that “no longer than is necessary for the purposes for which th e personal data are processed” which means that indeed once someone ceases to be your customer their data should be deleted. This is the general rule and this is why the correct answer is “No”.

    However, there are some derogation that may apply such as when there is a legal requirement to keep personal data even if the processing activity is over. The bills and transaction history are usually kept for a certain period of time between 5 and 10 years for regulatory purpose so the legal grounds for processing in this case is legal obligation not legitimate interest.

  • GDPR DPO Job Description


    Answer:

    According to Recital 97 of the GDPR “data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.”

    Also, art.38 of the EU GDPR -“The data protection officer may fulfill other tasks and duties” https://advisera.com/eugdpracademy/gdpr/position-of-the-data-protection-officer/ . The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

    Also, one of the major roles of the DPO is to protect the rights and freedoms of the individuals whose data are collected. If the emplo yee is both appointed as DPO and is also responsible for determining the purposes and means of processing of individuals data, this conflictual situation would jeopardize the independence of the DPO.

    Signing an additional agreement ensuring that the responsibilities of that other function do not affect the carrying out of the DPO role could be a solution for you if the DPO will not be responsible at all for determining the purposes and means of processing (not only on documents but also in the day by day tasks). To be honest this approach is not full proof since it might be difficult in practice for someone to play two conflicting roles .

    Another solution would be to appoint an external DPO which represent an easy way to solve the conflict of interest issues and challenges presented by the requirements for independence.

    You can find out more about the role of the DPO form our article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

  • B2B - Supplier information


    Answer:

    Data belonging to a company such as company name, adress, registration number, VAT code does not fall under the category of personal data.

    However if the data refers to an employee of a company then is to be considered personal data and falls under the EU GDPR.

    To find out about personal data you can check out our free EU GDPR Foundations course https://advisera.com/training/eu-gdpr-foundations-course//

  • Users agreement


    Answer:

    You would be able to do that provided you put this information on your website Privacy Notice.

    To find out more about privacy notices you can check out our webinar Privacy Notices under EU GDPR https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

  • Cross border processing


    Answer:

    If the data is stored outside the EEA the answer is yes. Usually Mirosoft and Google mention in their T&C or similar documentation where the data would be stored. Check this article https://cloud.google.com/security/gdpr/

  • Supervisory authority

    We are based in Australia and are setting up an (Art 27) Representative office service and a DPO service based out of the UK for Australian businesses to use. Happy to answer questions. Mike Pym. Gordian 02 8075 3805. You must choose a rep service in one of the countries where your relevant data subjects are located, but that rep service can be used for all of EU Member States data subjects. The rep services is different to a DPO, and you will need both in this case . Brexit will make a difference, but what difference only time will tell! Hope that helps.

  • Definición de OLA


    Respuesta: Un OLA (Operational Level Agreement) basicamente es un acuerdo interno entre tu organización y una parte de la misma organización (por ejemplo, un acuerdo entre el área de TI, y el área de Marketing), y el contenido de este acuerdo depende del acuerdo específico que se establezca en cada caso (quiero decir, depende del servicio que una parte quiera proporcionar a la otra parte), pero puedes usar esta plantilla para tu proyecto, donde puedes definir el acuerdo del proyecto, relaciones, requerimientos sobre el servicio, planificación/cronograma, duración, etc. “Acuerdo de nivel operacional (OLA)” https://advisera.com/20000academy/es/documentation/acuerdo-de-nivel-operacional-ola/

    Y este artículo también te puede resultar interesante “SLAs, OLAs and UCs in ITIL and ISO 20000” : https://advisera.com/20000academy/knowledgebase/slas-olas-ucs-itil-iso-20000/

  • AS9100 Manual from a consultant

    Answer:
    This is one of the problems with consultants that do not take into account the processes that are currently in the company hen they choose what to document on a QMS, does what is documented actually add value? There are a few things to consider now that you have the manual, even if it was adapted from another template manual:
    - Do we actually do the things that the manual states?
    - Does the manual add a necessary process that we did not have in place before?
    If the answer to these are positive then the manual may be beneficial to you, on the other hand, if the manual:
    - Has written detail that you do not do
    - Has processes that are not required by your company, or AS9100 Rev D
    - Is wordy or complex such that it will confuse your employees
    If these are true then the manual is not only lacking in value , it is actually a problem since you will fail when your employees are audited against the manual. When you have a consultant working for you what you want is to ensure that what they write down is actually what you do so that people follow it.
    For more on dealing with consultants there is a good checklist on 9001Academy that can help with choosing a consultant that is relevant to the AS9100 QMS: https://info.advisera.com/9001academy/free-download/list-of-questions-to-ask-an-iso-9001-consultant
Page 768-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +