Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risks and interested parties
1.You determined the risks in your QMS processes. Have you evaluated them? Have you decided to perform some actions on the most critical ones? Also, risks are not only about products and services non-conformities. You can consider the risk of a cyber-attack, or the risk of losing an important worker with lots of know-how, or the risk of a new competitor with a disruptional approach.
2. Ok, but don’t forget the implications of that list, perhaps you should identify risks and opportunities liked to those interested parties. Have you determined the relevant requests of interested parties?
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Controller/Processor and DPO
Normally most schools collect, names, addresses, birthdays, sex, race, religion, phone numbers, etc. This is not dictated by us, but is relevant to any reporting the school needs to do.
1. Controller/Processor: We are fairly confident that we will need to assume the role of controller and processor.
2. DPO - Again, we believe we will need a DPO or need to assign someone in the company the responsibility of overseeing our GDPR compliance. We have based this decision on the fact that student information saved in our da tabase can be processed by the schools in the form of reports for internal and external purposes.
Based on the information I have included would you agree?
Answer:
For your first questions you cannot be processor and controller for the same processing activity. From the description it seems to me that for the processing activity you mentioned you are a processor and the schools are the controllers because they are the ones deciding the means and purposes for the processing while you are just providing the system which they use.
As for your second question, especially because most of the personal data belongs to minors and because you are also processing sensitive personal data such as religion I would advise you to appoint a DPO.
You can find out more about the tasks of DPO in out article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
I also invite you to go through our online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Steps to become GDPR compliant
Answer:
My understanding from your description is that you are acting as a processor and providing a telemedicine software. The fact that you are dealing with healthcare data which is sensitive personal data as per article 9 (1) - Processing of special categories of personal data https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/ puts you on the top of the list as regards to the risk of processing.
Depending on the size of your company as well as the complexity of your processing activities and the number of client an implementation project can take anywhere between 3 to 12 months the costs varying based on the same criteria mentioned in the beginning. You can check out our “Comparison matrices for implementing EU GPDR documentation ” https://advisera.com/eugdpracademy/comparison/ to see what implementation model better suits your business.
We can also provide you our EU GDPR Documentation Toolkit which comes in three convenient versions which include expert consultancy from our EU GDPR experts. You can find out more about our Toolkit here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
You can also access our online training GRPR Foundations Course to get a more in depth view on the EU GDPR requirements https://advisera.com/training/eu-gdpr-foundations-course// -
Toolkits content and ISO 27001 requirements
Answer: Each toolkit includes a List of Documents file that maps each template to the requirements it covers. In the web page of each toolkit you can access its respective list of documents file, so you can identify the toolkit content and the requirements covered.
For the ISO 27001 Documentation Toolkit the List of Documents file can be accessed through this link: https://advisera.com/wp-content/uploads//sites/5/2015/06/List_of_documents_ISO_27001_Documentation_Toolkit_EN.pdf -
Guidance on implementation project
Answer: The following material will provide an step by step guide regarding ISO 27001 implementation project:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Toolkit content ISO 27001
Answer: ISO 27001 does not require a document to cover clause 4.1, so to avoid unnecessary administrative effort there is no template for cover this clause in the toolkit.
This article will provide you further explanation about organizational context (although this is an ISO 27001 article the same concept applies to 22301):
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
2 - How can you best describe our organization’s risk appetite?
Answer: The risk appetite is the organization willingness to take risks, and accept some degree of impact. The risk appetite can be related, among other things, to organizational culture, top management mindset, the desired business outcomes, and the impacts related to disruptive incidents it considers acceptable to take.
This article will provide you further explanation about risk appe tite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
3 - How can you best describe the links between the business continuity policy and the organization’s objectives and other policies, including our risk management strategy?
Answer: The organization's objectives are the base for the business continuity policy, the other policies, and the risk management strategy.
Based on the organization's objectives the policies must be developed to ensure they can be achieved (in respect to the business continuity policy, the objectives will help drive the processes and resources to be implemented to ensure the continuity of activities that are related to the objectives). Regarding risk management, the organization's objectives will help the identification of the most relevant risks and how they should be treated.
These articles will provide you further explanation about objectives:
- Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
4 - How can you best describe the potential impact related to a disruptive incident with services, products, etc.
Answer: The best way to describe the impacts of disruptive incidents to the business is by performing a Business Impact Analysis, which will help you identify and demonstrate how business is impacted through time if a disruptive incident occurs.
These materials will provide you further explanation about BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Legal review of GDPR documentation
Answer:
All the documents in the EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ are designed not to be in conflict with EU Member State laws so from this perspective there in no risk.
However, there are certain areas where you would need to turn to local laws, for example in terms of retention periods there are maybe some specific requirements that will require you to keep certain record that may contain personal data for a specific period of time. For example, CCTV footage can be kept no longer than 30 days in certain jurisdiction such as Romania, Poland and Greece. So, my advice is once you have established your Data Retention Schedule to cross check with the local legal requirements.
Another aspect that may differ relates to Labor Law, in certain jurisdiction such as Germany certain processing activities involving employees personal data need to be brought to the at tention of the Work Counsels/Workers Union.
Also, keep an eye on local EU GDPR implementation acts that can add some local flavors to certain topics.
To learn more about the EU GDPR and its applicability in EU Member States see this free online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Data Transfer Agreement
Answer:
If your suppliers are within EU/EEA there is no need for any safeguards regarding transfers so, no Data Transfer Agreement is needed between controllers and processor that are in the EU/EEA.
However, the Data Processing Agreement which is the legal binding document establishing the obligations of the processors may need to be changed as there are certain requirements that are new and not covered by the current Data Protection Directive. In terms of processor obligations you might find useful the following article on our website : “EU GDPR Controller vs. Processor – What are the differences” https://advisera.com/eugd pracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/.
To learn more about the EU GDPR and cross border data transfers see this free online training GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Herramienta para calcular brecha con el RGPD
Respuesta: Claro, tenemos esta herramienta gratuita que te puede ayudar a determinar el nivel de cumplimiento con el RGPD europeo “EU GDPR Readiness Assessment” : https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/#
Y aquí también puedes encontrar otras herramientas gratuitas que puedes usar para el cumplimiento con el RGPD “Download free EU GDPR materials” : https://advisera.com/eugdpracademy/free-downloads/ -
Certificación ISO 27001 en un grupo empresarial
Respuesta: Ambas opciones son posibles, es decir, un grupo empresarial puede certificarse en ISO 27001, o cada compañía del grupo también puede certificarse en ISO 27001. Pero, si quieres obtener los beneficios del estándar a nivel de grupo, la primera opción sería la más recomendable.
Este artículo sobre los beneficios de la ISO 27001 puede ser interesante para ti “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Y también este webinar gratuito “Beneficios de ISO 27001: Cómo obtener el apoyo de la Dirección” : https://advisera.com/27001academy/es/webinar/iso-27001-benefits-how-to-obtain-management-support-free-webinar-on-demand/