Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Data Protection Officer
Answer:
The EU GDPR requires the appointment of a formal Data Protection Officer (DPO) only in certain cases which are listed under article 37 (https://advisera.com/eugdpracademy/gdpr/designation-of-the-data-protection-officer/). So, if the company you are representing does not find itself in the in the situations described in the article mentioned above you don’t need to have a dedicated DPO and you are not required to have any document in place to back up this fact.
This, however, doesn't mean that the company can leave aside the EU GDPR. Data protection specific tasks can be given to different members of the organizations such as Legal Counsels, HR specialists , IT security specialists etc. or the tasks can be outsourced to a specialized third party.
Just make sure that those members of the organization you select for the data protection tasks have at least some knowledge about the EU GDPR and other relevant data protection laws. -
ISO 27001 clauses
Answer:
ISO 27001 consists of two parts: (1) the main part of the standard has clauses 0 to 10, out of which clauses 4 to 10 are mandatory; and (2) Annex A which has 14 sections - it starts from A.5 to A.18.
Here you can see further explanation:
- A list of sections in Annex A: https://advisera.com/27001academy/iso-27001-controls/
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/ -
Defining context of the organization
Answer:
Context of the organization represents all internal and external issues that can affect the company's ability to achieve its quality objectives. Internal context includes organizational structure, culture, processes, etc, while external context includes culture of the market or the country in which the company operates, regulations, competitors, customers, suppliers, etc.
The standard does not require context of the organization to be documented, but you can document some part of it if you decide it is good for the company. In order to determine the context you can use SWOT or PEST analysis, or any other similar methodology, or you can arrange a brainstorming session with relevant people in your company and discuss the context.
For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
These materials will also help you regarding the context:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Showing data on request of data controller
Article Art. 28(3) (h) of the EU GDPR states that the processor must inform the controller if, in its opinion, the controller’s instructions would breach Union or Member State law including the EU GDPR ( https://advisera.com/eugdpracademy/gdpr/processor/ ) so, if you have serious concerns it is your duty just to inform the controller.
It is the duty of the controllers to make sure that their instructions are lawful. Since you don’t have the full picture of the processing activity your perception about the processing being unlawful might be wrong. For example the controller could have already obtained the consent from the data subject thus you as a processor don’t need to obtain that again.
You don't need any extra conformation form the controller or the data subjects since is the job of the controller to ensure that any request that it might have is always in compliance with the EU GDPR and other data protection legislation.
For more information on the specific duties of controllers and processors I recommend to check out our article “EU GDPR controller vs. process or – What are the differences?” which can be found at : https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
Processing personal data
Thanks for the answer. So if I'm correct we should focus on the software and can basically put a 'no' to all processing activities because we won't do them ourselves.
The only thing we need to make sure is that our software is GDPR compliant, regardless if the customer is using it that way. -
Does the toolkit include the 27002 documentation and best practices?
Answer: This is correct, ISO 27002 provides details on the implementation of 114 controls from ISO 27001 Annex A.
In our ISO 27001 toolkit we have 22 policies and procedures that cover Annex A controls, and all of these have taken the best practices from ISO 27002.
You have to keep in mind that ISO 27001 does not require each Annex A to be documented, therefore we didn't develop documentation for some controls like physical security - our main focus was on optimizing the number of documents for smaller companies, so that we avoid any overkill. See also this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
You can see the list of documents in the ISO 27001 Documentation Toolkit here: https://advisera.com/27001academy/iso-27001-documentation-toolkit/ - just scroll to section called "Toolkit documents". -
Importance of ISO certifications
ISO standards are becoming more and more popular, and especially ISO 27001 which explains how to manage information security. Here is an article that might help you: ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
However, there are also other security certificates you should consider - see this article CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
On our website you'll find a couple of online courses where you can get certified: https://advisera.com/training/ -
Documentation of processing activities
Answer:
As I understood from your query the company you are representing is mainly acting as a data processor on behalf of various controllers. This means that you should have contracts or other binding documents in place with the controllers with specific data protection clauses (or Data Processing A greements). Most of the information you need to fill in the Inventory of Processing Activities (the processor sheet) should be found in the documents mentioned above, documents that are signed by both controller and processor. Since you will use the information within these signed documents you don`t need any sign off from the controllers.
Also notice that EU GDPR article 30 requirements relate to the accountability obligation of controllers and processor as well and it is meant to abolish the need to notify data processing activities to a local supervisory authority (albeit not actually file those records with the supervisory authority) thus you need to prove that you comply with these obligations to the Supervisory Authorities and fail to comply would lead to your company being sanctioned and not the controller. This would make the sing off from the controllers useless both from your or your controllers point of view.
As on how to organize the Inventory of Processing Activities, this is up to you and the company you represent depending on the business you are running and the sheer number of controllers. I would suggest either having an inventory for each controller or, if you perform the exact processing activities for multiple controllers, you could have one inventory for such groups.
Article 30 (3) of the EU GDPR ( https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/) mentions that the inventory “shall be in writing, including in electronic form”, so both electronic or paper forms are allowed. We decided to go in our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ with the .excel format since is a widely used format accessible to most companies. -
AS9100 Clause 8.1.3 - Product Safety
Answer given:
Per AS9100 Rev D you need to "plan, implement and control the processes needed to assure product safety..., as appropriate". So, if you are saying that you have assessed the hazards and risks associated by your product, and have no safety critical items to manage, then this should satisfy this requirement. These two items are the first examples in the note for this section, so really your method of satisfying the requirements of 8.1.3 are that you performed an assessment of the hazards and found none, so there are no associated risks to manage. -
Comparison of the different GDPR articles
Answer:
I would first suggest to check the websites of the Supervisory Authorities of the jurisdictions you are interested in. For Guernsey and Jersey you could try starting with https://www.gov.gg/article/158844/Data-Protection-EU-General-Data-Protection-Regulation.
The ICO in the UK has a pretty good website where you will find all the necessary information https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ .
If you are interested in a document that contains local adaptations of the EU GDPR you could consult the “GDPR National Legislation Survey” issued by Baker and McKenzie which is publicly available here https://globalitc.bakermckenzie.com/files/Uploads/Documents/Global%20ITC/DSC146096_GDPR%20Survey%20National%20Legislation%20Updated%2026%20May%202017%20(Belfast).pdf.
DLA Piper has also on their website a s ection with local data protection laws around the world as well which can be consulted here: https://www.dlapiperdataprotection.com/index.html?t=eu-section&c=AU.