Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Audit team


    Answer:

    Yes, you can. Just make sure you have an appropriate audit documented methodology and have your auditors take some EU GDPR awareness trainings.

    Also make sure that the persons performing the audit did not do the EU GDPR implementation, due to conflict of interests.

    You can find useful EU GDPR Foundation course on our website here https://advisera.com/training/eu-gdpr-foundations-course//
  • Toolkit support


    Answer: Included with our toolkits you can send filled documents for review (the quantity of documents you can send will depend on the purchased toolkit). We'll provide our comments on how you can improve them or correct items so the documents are compliant with ISO 22301 standard.

    Specifically for your needs, these documents are included in the toolkit and will help you with exercising and testing: 
    - Disaster recovery plan
    - Exercising and testing plan
    - Exercising and testing report

    Please access this link to have an overview of our toolkits documentation review features: https://advisera.com/27001academy/iso22301-documentation-toolkit/#toolkit-options

    Access this link to understand the support: https://advisera.com/27001academy/iso22301-documentation-toolkit/#toolkit-expert
  • Assessment criteria rationale


  • ISO 20000 Lead Auditor


    Answer:
    ISO 20000 Lead Auditor training is what you need. Certification should be also part of the training. Look for an training (and certification) provider in your area.
    ITIL knowledge i.e. ISO 20000 knowledge and experience is of great help.
  • Customer feedback and organizational memory


    Answer:

    If your organization:

    receives and handles customer complaints, one example of customer feedback, that should be kept as documented information;
    asks feedback from customers about their satisfaction, that information could be obtained in a conversation but, as a good practice, should be recorded and kept as documented information at least as an input for management evaluation;
    receives from customers a sort of supplier performance rating, that is also customer feedback, that should be kept as documented information at least as an input for management evaluation, or input for corrective actions;

    Keeping documented information is a way of keeping the memory of the organization, people can change, personal memories can play tricks on us, having an organization’s memory is an important feature to learn.

    T he following material will provide you information about Customer complaints:

    - ISO 9001 – Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • Auditor competence


    Answer:

    As an auditor you should be able to demonstrate your competence to your customers. As a minimum you should demonstrate certification as lead auditor, and certification that you know the standard. So, I would recommend a training to formalize your knowledge of ISO 9001:2015. Please see bellow links about how to integrate ISO 27001 and ISO 9001

    The following material will provide you information about ISO 9001 and ISO 27001 integration:

    - How to integrate ISO 9001 and ISO 27001 - https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
    - Using ISO 9001 for implementing ISO 27001 - https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
  • Exeptions

    1. Information about other people -
     a) does this mean that we do not need to disclose any email content to a requester that contain reference or information to other people
     b) does this mean that we do not need to disclose CCTV foootage that contains other people in it?
    2. If we were to classify all documentation and electronic communication as ‘Confidential’ and/or as only “opinions held by the company” do we need to disclose any information at all. It would appear that if we can show that we have classified as “Opinions” we are not bound to share. "does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence” and "In general, privileged information includes any document which is confidential”

    Answer:

    Regarding your 1b question you can provide the email content to a requester if the information only concerns him if there are other information concerning other persons those information should be removed.

    As far as CCTV goes unless you can blur the faces of the other data subjects you don’t need to disclose the images. There is also the situation where the requester could provide you with the consent of the other data subject that were caught on tape to disclose the footage (this is most likely only in theory). Be aware that if the requester is a law enforcement agency you need to comply based on your local legislation.

    The “Opinions held by the Company” refer to legal opinions provided by qualified lawyer that are under “lawyer–client privilege” as for “Confidential” information you can always remove the confidential part of the document and just leave the information about the requester.
  • Risks and interested parties

    1.You determined the risks in your QMS processes. Have you evaluated them? Have you decided to perform some actions on the most critical ones? Also, risks are not only about products and services non-conformities. You can consider the risk of a cyber-attack, or the risk of losing an important worker with lots of know-how, or the risk of a new competitor with a disruptional approach.
    2. Ok, but don’t forget the implications of that list, perhaps you should identify risks and opportunities liked to those interested parties. Have you determined the relevant requests of interested parties?
    The following material will provide you information about the risk-based approach:
    - ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
    - ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • Controller/Processor and DPO

    Normally most schools collect, names, addresses, birthdays, sex, race, religion, phone numbers, etc. This is not dictated by us, but is relevant to any reporting the school needs to do.
    1. Controller/Processor: We are fairly confident that we will need to assume the role of controller and processor.
    2. DPO - Again, we believe we will need a DPO or need to assign someone in the company the responsibility of overseeing our GDPR compliance. We have based this decision on the fact that student information saved in our da tabase can be processed by the schools in the form of reports for internal and external purposes.
    Based on the information I have included would you agree?

    Answer:

    For your first questions you cannot be processor and controller for the same processing activity. From the description it seems to me that for the processing activity you mentioned you are a processor and the schools are the controllers because they are the ones deciding the means and purposes for the processing while you are just providing the system which they use.

    As for your second question, especially because most of the personal data belongs to minors and because you are also processing sensitive personal data such as religion I would advise you to appoint a DPO.

    You can find out more about the tasks of DPO in out article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

    I also invite you to go through our online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//
  • Steps to become GDPR compliant


    Answer:

    My understanding from your description is that you are acting as a processor and providing a telemedicine software. The fact that you are dealing with healthcare data which is sensitive personal data as per article 9 (1) - Processing of special categories of personal data https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/ puts you on the top of the list as regards to the risk of processing.

    Depending on the size of your company as well as the complexity of your processing activities and the number of client an implementation project can take anywhere between 3 to 12 months the costs varying based on the same criteria mentioned in the beginning. You can check out our “Comparison matrices for implementing EU GPDR documentation ” https://advisera.com/eugdpracademy/comparison/ to see what implementation model better suits your business.

    We can also provide you our EU GDPR Documentation Toolkit which comes in three convenient versions which include expert consultancy from our EU GDPR experts. You can find out more about our Toolkit here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

    You can also access our online training GRPR Foundations Course to get a more in depth view on the EU GDPR requirements https://advisera.com/training/eu-gdpr-foundations-course//
Page 794-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +