Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkit content
Answer: Included in your toolkit there is a List of Documents file which correlates each template with the clauses of ISO 27001 it covers.
Clause 6.2 is covered by the template Risk Treatment Plan, which can be found on folder 7. -
Critical processes, RTO and RPO
Answer: To identify the business critical processes you must first understand your organization's context and identify your relevant interested parties requirements (e.g., products and services they demand, delivery conditions, laws and regulations to be fulfilled, etc.). Based on that you can identify which processes are critical to your business.
Regarding RTO and RPO, they are more defined than calculated, because they are based on the needs and expectations of your interested parties, which most of the time reflects clauses in contracts, laws or regulations, and historical data (statistical data can also be present). So, if your definition of RTO or RPO can be supported by a solid justification, it is not mandatory for you do to search a formula to calculate them.
This article will provide you further explanation about BIA and RTO and RPO:
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
This material will also help you regarding BIA and RTO and RPO:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Where to start IATF 16949 implementation
Answer:
The best way to start is with gap analysis to determine to what level your organization is already compliant with requirements of the standard and what needs to be done to achieve full compliance. According to the results of the gap analysis, you can start planning the implementation project and define all activities to be performed.
Here you can download our free IATF 16949:2016 Implementation diagram https://info.advisera.com/16949academy/free-download/iatf-16949-implementation-diagram
As far as the internal audit goes, you can use internal audit checklist, it is a valuable tool that can help you avoid missing something out. Here you can download free previ ew of our Internal QMS Audit Checklist https://advisera.com/16949academy/documentation/internal-qms-audit-checklist/ -
Personal data protection policy
2. Ideally a DSAR should be in writing. Under GDPR, can a DSAR be made verbally by the data subject? Must my organization also be prepared to receive DSAR via social media?
Answer:
The Personal data protection policy is aimed to be a commitment of the Company towards achieving compliance with the EU GDPR and could be made public if the Company wants. The Employee data protection policy is meant to regulate within the Company how does the HR department uses employees data and what are the conditions in which those data are processes. So the main difference is the target audience for the two document.
It is advisable to set up dedicated channels to manage the data subject access requests and one reason for this would be to make sure you property identify the data subject so you would need to ask certain identification elements.
If you receive the requests via other channels you need to make sure that you can reasonably and accurately identify the data subject before providing the request. There is no obligation for the data subject to use a certain channel and you need to reply nevertheless.
To find out more about data subject access requests check out our webinar “Data Subject Rights under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Auditees and corrective actions
Answer:
I presume that you are asking why auditees need to be involved in the development of a corrective action after an internal audit. The development of sound corrective actions depends on the determination of the cause(s) of a nonconformity. Normally, auditees are in the best position to identify possible cause(s) and to determine actions to remove or minimize them. Previous versions of ISO 9001 made it mandatory that the management of the audited areas were responsible for development of corrective actions, ISO 9001:2015 only requires that the audit results should be reported to the relevant management.
The following material will provide you information about the risk-based approach:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course – https:// /course/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Marketing activities
I own a sandwich bar and run an advert in my local newspaper that says I am giving a 25% discount off any orders. Consumers can get a voucher for this discount by texting the word “discount” to the advertised number and receive a text message by return that contains the voucher code. The text message they receive will include the standard “Optout reply STOP” statement. Two months later I want to send a text message to all 263 people who replied to the first advert to tell them that I now have another offer which is that when they buy their next order they can have a free drink!
I have one question… which of the following actions would be compliant with GDPR ?
1. I cannot send them another text message until I receive their written consent to do so
2. I can send them another text BUT this must only contain a link to my privacy notice where they must provide consent.
3. I can send them another text message as long as I continue to include the “Optout reply STOP” statement
Answer:
1. The general rule i s that you must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’. So, you may use the “soft opt-in” for your existing customers and in this case you need to provide the possibility to the customer to opt out at any time. When I refer to existing customers I mean the customers that actually used the discount voucher. Your legal base for processing would be legitimate interest.
Besides the possibility of opting out the data subject will need to be provided with a privacy notice as provided by EU GDPR article 13 - Information to be provided where personal data are collected from the data subject - https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/ For the individuals not using your discount but whose data I have received I would reach out to ask for consent.
2. You definitely need to provide the information in the privacy notice in both cases.
3. The possibility to opt out has to be provided whenever a message is sent to the data subject. Especially when you don’t use the consent as a lawful base for processing is legitimate interest.
You might find our article “How does GDPR impact marketing activities?” - https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ as well as our webinar “How GDPR Affects Marketing Practices” - https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Data Processor Addendum
As we are a reporting tool, the above PII is the only information we request from our customers and store this information in Salesforce (Salesforce is a data processor to us).
We are being requested to sign a Data Processor Agreement with our customers and believe we are more of a Data Controller in this instance. Could you clarify.
Answer:
My understanding is that you are providing a Reporting Software to customers that would be required to register with a username and email so start using the software. For th is instance you are a controllers because you are determining what information is required from a customer to register.
I assume that the reporting software is addressed to companies rather than individuals. In this instance if the companies as your customer would use the reporting software to process personal data of their individual customers that would make you a processor when providing for example hosting and/or maintenance.
To find out about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” - https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
Records of consent
Answer:
The fact that you don’t have records of consent basically means that you don’t have any consent. Legitimate interest could be used for marketing only if you can prove that how you use individual data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. If the individuals that you want to send marketing to are already your customers and their details were collected in the context of a sale and the individual was given the ability to opt-out at that time than you can use the legitimate interests to send information about the goods and/or services you provide. If you can`t rely on legitimate interest you need do reach out to the data subjects to obtain their consent.
You might find our article “How does GDPR impact marketing activities?” - https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ as well as our webinar “How GDPR Affects Marketing Practices” - https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Software validation for raw material supplier
We are a raw material manufacturer, planning supplying to medical device industry. Are we required to comply with software validation section, that seems to be talking about medical device manufacturer, within ISO 13485:2016.
Answer:
Applicability of ISO 13485 to your business is questionable, depending on the raw material that you supply to the customer. The clause 1 Scope of ISO 13485 says that the standard is applicable to organizations that need t demonstrate ability to provide medical devices and related services. It is limited to the organizations that are involved in one or more stages of the product life-cycle including design and development, production, storage, distribution, installation or servicing of medical devices. Supply of raw materials in not mentioned in the standard, so if you don't supply your customer with some parts of the medical device but only with raw materials, the standard is hardly applicable to your business.
If you don't have ISO 13485 certificate and are not planning to implement the standard, t he requirements for software validation are not applicable to you. If you are planning to implement the standard, exclusion of all requirements for software validation will be impossible, because the standard allows exclusions from clauses 6,7 and 8, but first requirement for software validation is in clause 4.1.6.
In your case, it might be better to implement ISO 9001 instead of ISO 13485, since it is more widely applicable and you can also include all requirements of your customer in your Quality Management System regarding medical devices, but you will avoid many requirements of ISO 13485 that would be redundant and inapplicable for your type of business. -
Asset inventory
Answer: The article presents enough information for you to build an asset inventory compliant with ISO 27001, but since ISO 27001 does not prescribe which details must be listed in the asset inventory, you should work with members of you organization to identify some other information that can be useful, like asset category, its location, some notes, etc.
I suggest you take a look a t the free demo of our Inventory of Assets at this link: https://advisera.com/27001academy/documentation/inventory-of-assets/ so you can see how an inventory of assets looks like.
This article can also provide you useful information about the inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/