Answer: Included with our toolkits you can send filled documents for review (the quantity of documents you can send will depend on the purchased toolkit). We'll provide our comments on how you can improve them or correct items so the documents are compliant with ISO 22301 standard.
Specifically for your needs, these documents are included in the toolkit and will help you with exercising and testing:
- Disaster recovery plan
- Exercising and testing plan
- Exercising and testing report
Answer:
ISO 20000 Lead Auditor training is what you need. Certification should be also part of the training. Look for an training (and certification) provider in your area.
ITIL knowledge i.e. ISO 20000 knowledge and experience is of great help.
Customer feedback and organizational memory
Answer:
If your organization:
receives and handles customer complaints, one example of customer feedback, that should be kept as documented information;
asks feedback from customers about their satisfaction, that information could be obtained in a conversation but, as a good practice, should be recorded and kept as documented information at least as an input for management evaluation;
receives from customers a sort of supplier performance rating, that is also customer feedback, that should be kept as documented information at least as an input for management evaluation, or input for corrective actions;
Keeping documented information is a way of keeping the memory of the organization, people can change, personal memories can play tricks on us, having an organization’s memory is an important feature to learn.
T he following material will provide you information about Customer complaints:
As an auditor you should be able to demonstrate your competence to your customers. As a minimum you should demonstrate certification as lead auditor, and certification that you know the standard. So, I would recommend a training to formalize your knowledge of ISO 9001:2015. Please see bellow links about how to integrate ISO 27001 and ISO 9001
The following material will provide you information about ISO 9001 and ISO 27001 integration:
1. Information about other people -
a) does this mean that we do not need to disclose any email content to a requester that contain reference or information to other people
b) does this mean that we do not need to disclose CCTV foootage that contains other people in it?
2. If we were to classify all documentation and electronic communication as ‘Confidential’ and/or as only “opinions held by the company” do we need to disclose any information at all. It would appear that if we can show that we have classified as “Opinions” we are not bound to share. "does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence” and "In general, privileged information includes any document which is confidential”
Answer:
Regarding your 1b question you can provide the email content to a requester if the information only concerns him if there are other information concerning other persons those information should be removed.
As far as CCTV goes unless you can blur the faces of the other data subjects you don’t need to disclose the images. There is also the situation where the requester could provide you with the consent of the other data subject that were caught on tape to disclose the footage (this is most likely only in theory). Be aware that if the requester is a law enforcement agency you need to comply based on your local legislation.
The “Opinions held by the Company” refer to legal opinions provided by qualified lawyer that are under “lawyer–client privilege” as for “Confidential” information you can always remove the confidential part of the document and just leave the information about the requester.
Normally most schools collect, names, addresses, birthdays, sex, race, religion, phone numbers, etc. This is not dictated by us, but is relevant to any reporting the school needs to do.
1. Controller/Processor: We are fairly confident that we will need to assume the role of controller and processor.
2. DPO - Again, we believe we will need a DPO or need to assign someone in the company the responsibility of overseeing our GDPR compliance. We have based this decision on the fact that student information saved in our da tabase can be processed by the schools in the form of reports for internal and external purposes.
Based on the information I have included would you agree?
Answer:
For your first questions you cannot be processor and controller for the same processing activity. From the description it seems to me that for the processing activity you mentioned you are a processor and the schools are the controllers because they are the ones deciding the means and purposes for the processing while you are just providing the system which they use.
As for your second question, especially because most of the personal data belongs to minors and because you are also processing sensitive personal data such as religion I would advise you to appoint a DPO.
My understanding from your description is that you are acting as a processor and providing a telemedicine software. The fact that you are dealing with healthcare data which is sensitive personal data as per article 9 (1) - Processing of special categories of personal data https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/ puts you on the top of the list as regards to the risk of processing.
Depending on the size of your company as well as the complexity of your processing activities and the number of client an implementation project can take anywhere between 3 to 12 months the costs varying based on the same criteria mentioned in the beginning. You can check out our “Comparison matrices for implementing EU GPDR documentation ” https://advisera.com/eugdpracademy/comparison/ to see what implementation model better suits your business.
We can also provide you our EU GDPR Documentation Toolkit which comes in three convenient versions which include expert consultancy from our EU GDPR experts. You can find out more about our Toolkit here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/