Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
EU GDPR in charities
Answer:
Charities are impacted by GDPR as any other organisation. There is no exception for charities. I would start by doing a personal data processing inventory. You can find a template for this in the Advisera EU GDPR toolkit https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/ afterwards if you have more questions, you can rely on Advisera to help you. -
Risk Assessments and GDPR
Answer:
The GDPR makes it mandatory to perform risk assessments in the shape of a Data Protection Impact Assessment where it is deemed that there is a risk to rights and freedoms of the individuals, whose data is being processed. -
Documentation templates and ITIL version
Answer:
Documentation toolkit (ITIL and Premium) are based on 2011 revision of ITIL . Once V3 was introduced (2007) - complete name was ITIL V3. From 2011 revision onward - it's only ITIL. -
Personal Data and DPO
2) Do we need a Data Protection Officer or is a Data processor enough?
3) Regarding the 'Compliance Questionnaire' Do we need to send this all 3rd parties that hold data of ours or just our clients?
Answers:
1) According to EU GDPR article 5(e) (https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/) personal data cannot be kept longer than is necessary for the purposes for which the personal data are processed. Assuming that the data received via you website comes from users registering there you can set up your own retention period. When establishing that you should consider a reasonable retention period that would be consistent both to the type of services you provide to the data subject and the categories of personal data processed. To give you an example, if you are not collecting special categories of data (https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/) you can set up r etention period anywhere between 1-3 years (most likely it will not be considered excessive) from the last time the user accessed his/hers account on your website.
2) Appointing Data Protection Officer is required by the EU GDPR (https://advisera.com/eugdpracademy/gdpr/designation-of-the-data-protection-officer/) only is some specific cases:
- you are required to do so by national law;
- your core activities consist of regular and systematic monitoring of data subjects on a large scale;
- your our core activities consist of processing sensitive personal data on a large scale (including processing
information about criminal offences).
So, if you find yourself in any of the above cases it is required to appoint a DPO which can be an employee or a third party (e.g. consultancy company). If not you don’t, then you are not required to appoint a DPO but you can designate some data protection specific tasks to someone within the organization.
You might find this article interesting https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
3) The Supplier Due Diligence Questionnaire is used to assess those suppliers that are processing personal data that belong to you as controller. So, those suppliers receiving or having access to personal data that you process as controller regardless if the data of your employees or your customers. -
GDPR Compliant Media Release form
Answer:
Let me begin by pointing out the prerequisites for a valid consent as set out by EU GDPR article 7 (https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/) namely: freely given, specific, informed and unambiguous indication of the individual’s wishes.
This means that among others, it is not only necessary to ask for consent but also to provide the relevant information to the data subjects. So whenever asking for consent the necessary information needs to be provided via a “Privacy Notice”.
In our EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ we provide templates for: “Data subject consent form” (https://advisera.com/eugdpracademy/documentation/data-subject-consent-form/) , “Data subject consent withdrawal form” (https://advisera.com/eugdpracademy/documentation/data-subject-consent-withdrawal-form/ ), “Parental Consent Form” (https://advisera.com/eugdpracademy/documentation/parental-consent-form/), “Parental Consent Withdrawal Form”( https://advisera.com/eugdpracademy/documentation/parental-consent-withdrawal-form/) as well as a template for a “Privacy Notice” (https://advisera.com/eugdpracademy/documentation/privacy-notice/). -
Categories of disruptive impact
Answer: The values presented in the template for the categories of disruptive impact can be changed to fit your organization's needs without problem. They are only examples based on our experience. There are not such things as a set standard, because each organization has unique characteristics that will influence these values.
What determines the values for the categories of disruptive impact is what your organization perceives as relevant time frames for the business (e.g., minutes, hours, days, weeks, etc.).
Although you can determine the values for the categories of disruptive impact, you should not change them with every BIA, because this way you cannot make comparisons between different BIAs. The better solution is to establish a set of values that will cover the majority of possible scenarios.
These material will provide you further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Surveillance and main audits
Answer: A surveillance audit is an audit performed by the certification body between the certification and recertification audits, to check if the system is maintained.
2 - How is it different from the main audit?
Answer: While a main audit (for certification or recertification) covers all the certification scope, a surveillance audit covers only part of the certification scope. After a certification, the surveillance audits are planned in such a way that all the certification scope is audited before the recertification audit is performed.
This article will provide you further explanation about audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
These materials will also help you regarding audits:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
ISO 27799 certification
Answer: ISO 27799 is not a certifiable standard. It defines guidelines to support the interpretation and implementation in health informatics of ISO 27001 Annex A controls (this one being certifiable regarding information security).
Considering that, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This toolkit can help you implement the general framework for ISO 27001, and the expert support included with the toolkit can help you make the adjustments to cover the requirements of ISO 27799.
This artic le will provide you further explanation about ISO 27001 and ISO 27799:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/
These materials will also help you regarding ISO 27001 :
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Information classification
1. ISO 27001 - Section 8.2 - Information Classification
It says that "Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification."
My Question is that who should develop the "Information Classification Matrix"? IT itself or the management? Please note that there is no separate Risk Management Section too ...
Answer: The role that better fits to develop the Information Classification Matrix is the Information owner, the person who better knows the value of the information. Generally it is the process owner (the one accountable for the results of the process) or process key user (the one who better know how the process operates).
This article will provide you further explanat ion about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2. My 2nd Question is; how to evaluate whether a company needs to go for ISO 27001 or not? Competitive advantage is one reason, but what other criteria a company should analyze that why they need to go for ISO 27001.
Answer: Besides competitive advantage, a company may decide to go for ISO 27001 certification because it has a contract or other legal requirement (e.g., law or regulation) that demands this certification, or it identifies that by adopting ISO 27001 practices it can reduce losses and make the business more profitable.
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
These materials will also help you regarding information classification and ISO 2701 benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Information classification
1. ISO 27001 - Section 8.2 - Information Classification
It says that "Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification."
My Question is that who should develop the "Information Classification Matrix"? IT itself or the management? Please note that there is no separate Risk Management Section too ...
Answer: The role that better fits to develop the Information Classification Matrix is the Information owner, the person who better knows the value of the information. Generally it is the process owner (the one accountable for the results of the process) or process key user (the one who better know how the process operates).
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2. My 2nd Question is; how to evaluate whether a company needs to go for ISO 27001 or not? Competitive advantage is one reason, but what other criteria a company should analyze that why they need to go for ISO 27001.
Answer: Besides competitive advantage, a company may decide to go for ISO 27001 certification because it has a contract or other legal requirement (e.g., law or regulation) that demands this certification, or it identifies that by adopting ISO 27001 practices it can reduce losses and make the business more profitable.
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
These materials will also help you regarding information classification and ISO 2701 benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/