Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Creation of the GDPR privacy notice
• In section 1 of 02.3_Privacy_Notice_EN.docx, your comments state that I should include personal data categories. I cannot find much information about the definition of personal data categories. Is the following a good set of personal data categories?
Contact’s full name
Contact’s job title
Contact’s phone number
Contact’s email address
Registrant’s full name
Registrant’s gender
Registrant’s date of birth
Registrant’s examination venue
Registrant’s intended destination school
Registrant’s examination subject options
Registrant’s Special Education Needs (SEN) flag
Registrant’s current school
• In section 3 of 02.3_Privacy_Notice_EN.docx, your wording states ‘No third party providers have access to your data, unless specifically required by law’. Is the third party provider you mention the same as a third party processor? In the case of our company, we use a number of external processors to fulfill variou s aspects of our business (such as printers, online assessment providers etc) and these processors receive some of the data subject’s personal data. Should my use of external processors get declared in this document? If my assumption is correct, what level of detail should I include? Do I need to state each company and what personal data is transferred to them?
Answer:
Personal data is defined in EU GDPR article 4 – “ Definitions“ https://advisera.com/gdpr/definitions/ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;. You can easily observe that the definition is very broad.
The examples you provided are consistent with the definition of personal data. To continue with some examples you can use the following taxonomy:
□ Personal master data (e.g. Name, surname, date of birth,)
□ Communication data (e.g. telephone, e-mail, address)
□ Contract master data (contractual relationship, product or contract interest)
□ Customer history
□ Contractual invoicing and payment data
□ Planning and control data.
□ Academic and professional data (training / qualifications, professional experience).
□ Employment details (work center, job position and department).
□ IP addresses
□ Transaction data (bank accounts, transaction history etc.)
2. Your assumption is right. Third parties refer to the suppliers to whom you may be transferring personal data to. Here you can be quite broad you can just refer to the categories of suppliers and you definitely don’t need to state the names of the suppliers.
You can use a wording something like :” We may transfer personal data to third party service providers, such as our IT systems providers, our hosting providers cloud service providers, database providers, consultants (including lawyers tax accountants, labor consultants) and third parties who carry out pre-employment or pre-engagement checks on prospective employees and contractors and other goods and services providers (such as food service providers) - each of these service providers has signed contracts to protect your personal information.”
You can find out more about Privacy Notices form our webinar “Privacy Notices Under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Databases compliant with the GDPR
- One to send regular updates on our activities to people who requested it once, either by opting-in on our website or sharing their contacts details during an event. It also contains people who registered to our events, but in that case, the fact that we would keep their details to update them on our activities was not explicit.
- A stakeholders mapping with details of people that we contact once in a while, on an ad-hoc basis (meetings, polls, etc.)
My questions are the following:
1. How to make these databases compliant with the GDPR?
2. In which conditions can we keep personal data such as name, email, position and organisation?
Answers:
1. For the first databases it seems to me that your processing activity, namely sending emails to promote your activities, is based on the consent of the individuals. Where consent has been given under the Data Protection Directive, it will continue to be valid under t he EU GDPR if it also meets the requirements of the Regulation. The EU GDPR requests that the consent is a freely given, specific, informed and unambiguous indication of the individual’s wishes ( Article 7 – Conditions for consent - https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/). Also, as a controller you must keep records so you can demonstrate that consent has been given by the relevant individual.
There are several consequences of the consent requirements under the EU GDPR:
- consent must be in an intelligible and accessible form in clear and plain language and in accordance with the Directive on unfair terms in consumer contracts.
- where the request for consent is part of a written form, it must be clearly distinguishable from other matters.
- consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted.
- if the relevant processing has multiple purposes, consent must be given for all of them.
- consent will not be valid if the individual does not have a genuine free choice or if there is a detriment if they refuse or withdraw consent.
- consent might not be valid if there is a clear imbalance of power between the individual and the controller, particularly where the controller is a public authority.
- you cannot “bundle consent”. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately.
- consent is presumed not valid if it is a condition of performance of a contract.
- the individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it.
Considering the above mentioned conditions you need to check your consents and if they match the requirements you are fine, if not you may need to reach out to the individuals to obtain a compliant consent.
Regarding your second data base if the individuals are member of your organization or stakeholders you can base your processing activation legitimate interest and you can contact them for meetings polls and similar activities. No consent is needed, you just need to provide them with a Privacy Notice as required be EU GDPR article 13 - Information to be provided where personal data are collected from the data subject https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/
2. In order to process any personal data a controller such as your NGO must ensure the processing of personal data complies with all six of the following general principles:
1. Lawfulness, fairness and transparency - Personal data must be processed lawfully, fairly and in a transparent manner;
2. Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes);
3. Data minimization - Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed;
4. Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted;
5. Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes); and
6. Integrity and confidentiality - Personal data should be kept secure.
Besides respecting the principles set up above processing of personal data will only be lawful if it satisfies at least one of the following processing conditions:
a. Consent - The individual has given consent to the processing for one or more specific purposes.
b. Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract;
c. Legal obligation - The processing is necessary for compliance with a legal obligation to which the controller is subject. Only legal obligations under Union or Member State law will satisfy this condition. However, that law need not be statutory (e.g. common law obligations are sufficient);
d. Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies;
e. Public functions - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law; or
f. Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Public authorities cannot rely on this condition -
ISO 27001 implementation
Answer: For the implementation of an ISMS complaint with ISO 27001, the leading ISO standard for information security management, you should consider these steps:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding implementation approaches, the most common are:
- Use you own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Audit scope
We realise that we have common controls across our group as well as differences and our approach to implementation is to have a corporate control with localisations if required.
Will the auditing need to occur for each of our three companies or will the parent company only be audited? The answer to this question will have a bearing on whether the ISO implementation is separate in each company or we can share common controls.
Answer: The audit will have to be performed on all sites defined in your scope. Considering that, you have these options to consider:
- A single scope for all three companies. In this case all companies will have the same certification and will need to be audited during the same audit event.
- A scope for each company. In this case each company will have its own certificate and can be audited in a separated event.
A single certification means reduced cost, but increases the logistics complexity during the audit, as opposite to having a certification for each company.
Regarding common and specific controls, if you have a single scope this will not make difference in the audit event. As for adopting different scopes you will have to identify which company manages the corporate controls and include this information in the scope of the other companies, stating this situation as an relevant interface for these companies. -
Evidencing Leadership and commitment
Answer:
Objective evidence can be gathered through interviews, observation and documented information observation. For example:
evaluating alignment between information and other evidences shown during interviews with the practices, real performance and documented information;
evaluating participation in communication and awareness events;
ensuring that the EMS is integrated in the business management system;
ensuring resources for the operation and improvement of the EMS;
ensuring that actions are taken when there is a gap between real and desired performance
The following material will provide you information about leadership and commitment:
- ISO 14001 – How to demonstrate leadership according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/
- List of ISO 14001 implementation steps - https://advisera.com/140 01academy/knowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
In-house verification instead of outside calibration
Answer:
First, do not forget that clause 7.1.5 is about monitoring and measuring resources used to verify conformity of products and services. Monitoring and measuring resources used to verify conformity of processes is not mandatory.
Second, your suggestion is acceptable and used by several organizations.
The following material will provide you information about monitoring and measuring resources:
- ISO 9001 – Analysis of measuring and monitoring requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ ations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Integrating ISO 27001 to business
(1 - I would like to know more about the elements of document control procedures, corrective and preventive actions and internal audit. How specifically will I put this in the company's documentation what stage? In addition to document control procedures, corrective and preventive actions and internal audit, roles and responsibilities of employees, suppliers and third parties, contracting terms and conditions, operating procedures of information processing facilities.)
Answer: For detailed information about the issues you stated, I suggest you these articles:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
Regarding how you can implement these in you organization, you must first identify your organization's approach toward document control. If your organization has no document control procedure at all, I suggest you to take a look at the free demo of our Procedure for Document and Record Control at this link: https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/
Regarding contracting terms and conditions and operating procedures of information processing facilities, their content will depend on the results of a risk assessment to identify the relevant risks that must be treated.
These articles will provide you further explanation about ISO 27001:
- ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding IS 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/
2 - Como se daria essas auditorias?
(2- How would these audits be done?)
Answer: The performing of internal audits follow these general steps:
- Audit planning
- Audit performing
- Audit report
- Audit treatments follow up
In the previous answer you can find additional references.
3 - O que é possível, prático e aceitável elaborar por tabelas?
(3 - What is possible, practical and acceptable to elaborate by tables?)
Answer: ISO 27001 does not define how to implement the documentation (only requires that documents and records must be controlled), so organizations are free to implement them as they see fit. So, tables are acceptable as a mean to control documents if they can fulfill the standard's requirements.
This article will provide you further explanation about document elaboration:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ -
Stage 1 and stage 2 audits
Answer:
Sorry, I cannot help you regarding ISO 2200 but about ISO 9001:2015 - First comes the stage 1 audit, the auditor (or audit team) will review the management system documentation and compare it with the requirements of the standard and will verify if the scope of certification is clear and doesn’t present a misleading information. Also included is a review to ensure that internal audits and management review are being planned and performed, and that the level of implementation of the management system indicates that the organization is prepared for the stage 2 audit.
If weaknesses are identified in the Stage 1 audit, these must be corrected by the organization before the Stage 2 audit.
While stage 1 audit is about documentation and is normally performed in a meeting room, stage 2 audit is performed at the places where people do t heir jobs and is much more practical, much more about whether the employees are complying with everything that is written in the documentation. This is achieved by means of interviewing the employees, examining the relevant documents, records, forms and guidelines and also by visiting relevant areas of the organization. The point is – the auditor can talk to anyone, visit any part of your company and see and document within the scope of the certification.
The following material will provide you information about implementing a QMS:
- ISO 9001 – How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Categories of Personal Data
For example: If this processing includes bank account number, which in its own right is not enough to identify a „Data Subject“, should we include that in the „Categories of Personal Data“ column? What about amounts, dates etc. ?
Answer:
Personal data is defined in EU GDPR article 4 – “ Definitions“ https://advisera.com/gdpr/definitions/ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physio logical, genetic, mental, economic, cultural or social identity of that natural person. You can easily observe that the definition is very broad.
Coming back to your question you need to put in there also that information which relates to a data subjects and bank account is one of these information. To continue with some examples you can use the following taxonomy:
□ Personal master data (e.g. Name, surname, date of birth,)
□ Communication data (e.g. telephone, e-mail, address)
□ Contract master data (contractual relationship, product or contract interest)
□ Customer history
□ Contractual invoicing and payment data
□ Planning and control data.
□ Academic and professional data (training / qualifications, professional experience).
□ Employment details (work center, job position and department).
□ IP addresses
□ Transaction data (bank accounts, transaction history etc.)
To learn more about personal data under the EU GDPR see this free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Filing criteria
Answer:
There is no universal rule for filing ISO 14001 records. You can file by clauses or, for example by topics like: Calibration Records for Monitoring & Measurement Equipment or Compliance obligations records
The following material will provide you information about records of an EMS:
- ISO 14001 – ISO 14001 Control of Records - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-control-of-records/
- How to structure ISO 14001 documentation - - https://advisera.com/14001academy/blog/2016/11/28/how-to-structure-iso-14001-documentation/
Checklist of Mandatory Documentation Required by ISO 14001:2015 - https://info.advisera.com/hubfs/14001Academy/14001Academy_FreeDownloads/Checklist_of_ISO14001-2015_Mandatory_Documentation_EN.pdf?t=1493193615266
- book - TH E ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/