Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BS 10012: 2017
Answer:
Currently there are no GDPR certification system in place. The certification bodies are yet to emerge. I would recommend to stick with the GDPR and leave the certifications for the moment when they will be endorsed by the competent EU authorities. -
Performing DIPA in companies
Answer:
Regardless of the size of the company you must perform a DPIA if the processing activity is likely to constitute a high risk to the rights and freedoms of the data subjects. If you don’t have any processing activities that would be considered as a high risk then DPIA won't be necessary. However be careful when assessing which processing activities are of high risk. Our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ has a section dedicated to DPIAs and there you can find guidance as well as templates. -
Right to object
Answer:
The right to object to marketing is an absolute right so no controller cannot deny you that right. Referring to the right to object to other types of processing, any request must be assessed by the controller and if there is no legal ground for the processing activity; for example there is no legitimate interest then the processing activity must cease. However keep in mind that certain services cannot be offered to individuals without processing their data so in this case the services will have to cease being offered. -
Internal auditors competence requirements
Answer:
Yes he can. The only requirements for being an internal auditor are: not auditing own work/department and being competent. It is up to your organization to determine what is a competent auditor. If you have job descriptions, describe there what are your requirements for the job of internal auditor.
The following material will provide you information about internal auditors:
ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/ -
Data Processors and DIPA
Answer:
The EU GDPR states that DPIAs should be performed by data controllers. This is because the controller are the ones taking the decisions as regards to the purposes and means of the processing. However processors might also be called up to provide support to controllers when they are performing DPIAs if a part of the processing activity which is subject of the DPIA is outsourced to the processor. The processor must assist the controller should the controller need to carry out a privacy impact assessment. Art. 28(3)(f) -
Data Protection Impact Assessment and BIA
Answer:
If you identify your personal data as critical items for your business you could do this. But the DPIA should be kept a a separate process. -
Legacy backup data
Answer:
If you have huge amount of legacy backup data you should determine adequate retention periods. As a general rule unless there is a specific legal requirement or a legitimate interest personal data should be deleted after they are no longer needed for that specific processing activity. -
Employee data privacy
Answer:
If you only provide telecom services to companies this does not mean that you should only focus on your employee personal data. I am guessing that while providing the service to your corporate clients you would actually have access to some of their persona data as well. In this instance you would be acting as a data processor and your main focus would be to comply with the requirements of the Controller. You also have to have the Inventory of the processing activities that you perform on behalf of the controller as well. -
Difference between DPIA and data processing risk assessment
Answer:
If your risk assessment focuses only on the security of personal data then one of the main differences would be that DPIAs focus on the right and freedoms of personal data subjects. You could keep the personal data as safe as you want but this does not guarantee that the data is processed lawfully nor that the data subjects can effectively exercise their rights.