Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documentation of processing activities
Answer:
As I understood from your query the company you are representing is mainly acting as a data processor on behalf of various controllers. This means that you should have contracts or other binding documents in place with the controllers with specific data protection clauses (or Data Processing A greements). Most of the information you need to fill in the Inventory of Processing Activities (the processor sheet) should be found in the documents mentioned above, documents that are signed by both controller and processor. Since you will use the information within these signed documents you don`t need any sign off from the controllers.
Also notice that EU GDPR article 30 requirements relate to the accountability obligation of controllers and processor as well and it is meant to abolish the need to notify data processing activities to a local supervisory authority (albeit not actually file those records with the supervisory authority) thus you need to prove that you comply with these obligations to the Supervisory Authorities and fail to comply would lead to your company being sanctioned and not the controller. This would make the sing off from the controllers useless both from your or your controllers point of view.
As on how to organize the Inventory of Processing Activities, this is up to you and the company you represent depending on the business you are running and the sheer number of controllers. I would suggest either having an inventory for each controller or, if you perform the exact processing activities for multiple controllers, you could have one inventory for such groups.
Article 30 (3) of the EU GDPR ( https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/) mentions that the inventory “shall be in writing, including in electronic form”, so both electronic or paper forms are allowed. We decided to go in our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ with the .excel format since is a widely used format accessible to most companies. -
AS9100 Clause 8.1.3 - Product Safety
Answer given:
Per AS9100 Rev D you need to "plan, implement and control the processes needed to assure product safety..., as appropriate". So, if you are saying that you have assessed the hazards and risks associated by your product, and have no safety critical items to manage, then this should satisfy this requirement. These two items are the first examples in the note for this section, so really your method of satisfying the requirements of 8.1.3 are that you performed an assessment of the hazards and found none, so there are no associated risks to manage. -
Comparison of the different GDPR articles
Answer:
I would first suggest to check the websites of the Supervisory Authorities of the jurisdictions you are interested in. For Guernsey and Jersey you could try starting with https://www.gov.gg/article/158844/Data-Protection-EU-General-Data-Protection-Regulation.
The ICO in the UK has a pretty good website where you will find all the necessary information https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ .
If you are interested in a document that contains local adaptations of the EU GDPR you could consult the “GDPR National Legislation Survey” issued by Baker and McKenzie which is publicly available here https://globalitc.bakermckenzie.com/files/Uploads/Documents/Global%20ITC/DSC146096_GDPR%20Survey%20National%20Legislation%20Updated%2026%20May%202017%20(Belfast).pdf.
DLA Piper has also on their website a s ection with local data protection laws around the world as well which can be consulted here: https://www.dlapiperdataprotection.com/index.html?t=eu-section&c=AU. -
Quality objectives
thank you strahinja -
EU GDPR procedures
Answer:
Articles 13 and 14 of the EU GDPR refer to the information to be provided to data subjects or “privacy notices”. You can find a “General Data Protection Notice” in folder 2 “Personal Data Policy Framework” which contains all the information you need to put into your “Privacy Notices”. Personal Data Records Management is covered by the “ Data Retention Policy” and “Data Retention Schedule” which can be found as well in ” in folder 2 “Personal Data Policy Framework”.
Folder 4 “Managing Data Subject Rights” contains the “Data Subject Access Request Procedure” that is meant to cover all the rights of the data subjects including the right to access, erase or rectify the data etc.
Please consider that you don’t actually need a “Data Minimization”, “Special Categories of Personal Data Procedure”, “Reference letters procedure” , “Direct Marketing procedure”, not every item from the EU GDPR needs a procedure or policy.
To get an overview of the whole content of the EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ in terms of documents you should check out .pdf document called “List of Documents EU GDPR documentation toolkit”. -
Program success factors
The subject matter I need to know is how to keep a successful program running; why do people Pass successfully for several years, and then begin to fail (with disastrous consequences)?
The main reason for programs to start failing after a long period running is the loss of alignment between the program and the business objectives, so you should consider constant monitoring of business objectives and strategies, identification of how your programs can help support them, and implementation of proper adjustments.
I am a Certified Internal Auditor with several years of Internal Audit experience, getting ready to transition, and am looking for an ISO 27001 Analyst or Auditor job; how can I find companies who are (or are looking to become) ISO 27001 compliant?
For certified organizations you may try the websites of certification bodies (e.g, BSI, TUV, etc.). Some of them have databases with their certified organizations you can access. For organizations looking to become certified there is no such databases available, so you should rely on internet and professional social networks searches.
-
Certifications for consultancy
Answer: most certifications required will depend on the industries your company cover (financial, communication, etc.) and your line of business (e.g., IT security consultancy, business continuity, forensics, etc.).
Considering ISO 27001, you should consider the lead auditor and the lead implementer certifications.
These articles will provide you further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Supplier Data Processing Agreement
Answer:
The document you are referring to is the Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/ that can be found in in folder 7 “ Third Party Compliance” of our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
The Data Processing Agreement should be an Annex/Appendix to the contract (or another legally binding document) based on which the Processor processes personal data on behalf of the Controller. -
Control of documents
please note that both templates fulfills ISO 27001 requirements.
Answer: ISO 27001 doesn't require that all the documents use the same format, (the use of templates is only a best practice), so you can state in our document control procedure that any new or updated policy/procedure must be used after a defined date.
This material will also help you regarding document control:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Performing risk assessment
Your conclusion is correct. By understanding which policies are already implemented and which risks are identified and considered relevant you can have a snapshot of the organization's culture, as well as some perception of the cultures of the other organizations which have business with it.