Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Privacy Notices
Answer:
In terms of Privacy Notices there are no exemptions regardless of the size or type of business, as long as you are a controller you need to present the relevant notices to the data subjects. E-commerce type businesses are not exempted so Notices are required as well. As for facilities as Mailchipm or Awebber they are only platforms that you can use to deliver mails or newsletters so the targeted dat a subjects need to be properly informed and to consent to be targeted by marketing campaigns. If you however want to generate leads and than pass the information to third parties you would need to obtain the consent of the data subjects for their information to be processed by those third parties. -
EU GDPR in school
Answer:
The EU has suggested using standardized icons specifically with regards to privacy notices intended for children. Unfortunately they have not currently agreed on these standardized icons, but I agree that it will probably be the easiest way to communicate your privacy notice(s) to your pupils. If you choose to do a predominantly (or exclusively) textual privacy notice, you will need to ensure that the language used is understandable for children at the lowest age group. -
Data Disclosure Form
Answer:
It is not the Data Disclosure Form which is mandatory but rather the information you need to provide to the data subject. You can find a template for a Data Subject Disclosure form in our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/documentation/data-subject-disclosure-form/ -
Privacy notice
Answer:
If employee data is being sent constantly outside EEA then you need to inform your employees about this via privacy notice. If the data being sent is the same every time a transfer occurs you need only to present the notice once and keep it available so the employee can access it at any time. -
EU GDPR toolkit documents
Answer:
Besides the notices and consent related documents there are no requirements for you to make public other EU GDPR implementation documents https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ However policy documents such as the " General Data Protection Policy" could be made public as well as a way to prove commitment. -
Handling the privacy
As mentioned previously my understanding is that you are acting as a processor and performing certain evaluation services on behalf of various controllers. In this case all data subject requests should be directed to the respective controllers.
This doesn't mean that you are ignoring the requests but you are directing them to the controllers so that they can evaluate and decide how to deal with them. If the controllers will consider the request grounded they will instruction you on how to proceed.
When receiving such requests from the data subjects you should just mention that you cannot evaluate their request but you will send it to the data controller. -
Process approach in a school environment
We received a follow-up question:
"what about the physical facilities or the 5s. How strict the registrar with regards to this? Do we really need to repair all our damage equipment and facilities"
This is my answer:
I included physical facilities under “Manage infrastructures” (please check ISO 9001:2015 clause 7.1.3 a)). About 5s it is not an ISO 9001:2015 requirement. If your organization use it, it will be demonstrated and does not need a process for that.
I cannot predict registrars’ evaluation regarding facilities. I don’t believe your organization need to repair all damaged equipment and facilities, unless they question the ability:
* to meet quality objectives,
* to meet interested parties requirements like regulatory or legal requirements; or
* to attain customer satisfaction -
ISO 27001 implementation
It was mentioned, however, that he just wanted me to go straight in and start writing out the polices, my questions are as follows which hopefully you can give me some guidance on:
1 - Firstly, is this even possible or the right way? I’ve gone through a few training and webcasts you’ve provided, I was under the impression that you had to complete this, stage by stage, rather than jumping straight into the polices
Answer: It is possible to start writing out the polices, but it is not the right way, and not recommended, because the chances are that the policies will not cover all the aspects where you need to protect information, conflicting rules will impair processes performance, and you will have a lot of rework to do to correct things (and this rework will certainly take more time then following the implementation step by step).
2- Is this even possible to write the polices without any real scope, apart from wanting to implement these into the IT dept, which again, I was under the impression that this wasn’t supposed to just be an IT project
I did try and explain about the different steps involved but I wanted to get your guidance on what I have mentioned above.
Answer: Without an stated scope you will have to consider at least that all the organization is covered by the ISMS, and depending on the size of the organization and your real needs for security, the difference may mean a lot of unnecessary effort spent to write policies involving people and business units that will not use them, again resulting in losses that can be prevented by following the implementation step by step.
Regarding designating the IT as responsible for information security, you should try to argument that information can exist outside information systems (e.g., in paper reports, whiteboards, on people talking), and in these situations the IT will not have the resources or authority to protect information, so the best course of action is to designate information security responsibilities considering where the information can be (e.g., HR can be responsible for information security related on hoe employees handle with information).
These articles will provide you further explanation about implementing ISO 27001:
- The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding implementing ISO 27001 (you may present them to your boss):
- Seven key problems to avoid in ISO 27001 implementation [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/ -
Cloud toolkit
"Cloud Toolkit is suitable for smaller companies that do not have the need for complex business continuity process, but require the establishment of more strict security controls to protect information on cloud environments and have privacy related requirements to comply with."
So do I understand correct that it is designed for companies who keep their data in the cloud (cloud customers), but not for companies who provide cloud services?
Answer: Cloud Toolkit is designed to support both cloud customers (about how to define security and privacy requirements and make sure their suppliers are compliant with them) and cloud service providers (about how to define security and privacy requirements, implement them and ensure they are working properly).