Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Article 30 Records of processing activities
Answer:
As regards to the article 30 Records of processing activities or Inventory of processing activities, there is no requirement to report to the Supervisory Authorities about it, this is why you won't find this document in our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
The only reporting requirement presented in the EU GDPR refers to the the notification of Supervisory Authorities in case of some data breaches. You can find guidance as well as the appropriate templates in folder 9 "Personal Data Breaches" of our EU GDPR implementation toolkit. -
Documenting Risks and Opportunities
Answer:
Clauses 4.1 and 4.2 don’t have any requirements about documenting risks and opportunities.
The following material will provide you information about the risk-based approach:
ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Required documented information
Answer:
Clause 8.1a is about product or service specifications. Your company must have product or service specifications. Then, see clause 8.1e, it is this clause that requires to document product or service specifications.
The following material will provide you information about ISO 9001:
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Requerimientos ISO 27001
Respuesta: Los requerimientos mínimos dependen del estándar que quieras implementar para la seguridad de la información, y uno de los más importantes (y más populares) es la ISO 27001 (muchos estándares, relacionados con la seguridad de la información, se basan en ISO 27001). Este estándar tiene requerimientos específicos, y tienes que leer el estándar en detalle para conocerlos, pero existe una serie de documentos obligatorios que tienes que tener para implementar los requerimientos del estándar, y puedes ver esta lista aquí: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
GDPR Documentation Process
Answer:
Filling in the documentation is just one of your tasks of achieving EU GDPR compliance, after this step you should focus on making sure that all the documents are backed-up by the proper processes in order to ensure that the policies and procedures are followed and integrated into your day to day business activities.
For example, you should also consider the following tasks:
- test some of these processes such as the one set up by the “Data Breach Response and Notification Procedure" https://advisera.com/eugdpracademy/documentation/data-breach-response-and-notification-procedure/ You need to see if all the staff involved knows what to do from identifying a data breach until sending the appropriate notifications;
- maintaining the “Inventory of processing activities” https://advise ra.com/eugdpracademy/documentation/inventory-of-processing-activities/which should be up to date;
- perform Due Diligence on some of your most important suppliers;
- build up an awareness EU GDPR program to train your relevant staff;
EU GDPR compliance is not a “one shot” exercise but rather a continuous process to ensure that personal data is protected in any instance, regardless of the changes in your business activities.
And to answer your second question, there is no need for you to proactively go to the ICO to present your EU GDPR framework.” -
Activity Recovery Strategy template content
To be more specific, our economy dep has a critical activity of paying a certain supplier, the rest of the activities in the economy dep is not time critical until the end of a month.
Answer: You should include all tasks to fully recover the activity, but the time to execute each one of them will be accordingly their criticality to the business, as defined in the Recovery Priorities for Activities template, included in your toolkit. This way you can either ensure the more time for critical activities to be recovered first and that all needed activities to recover normal operations will be recovered in the proper time.
These materials will also help you regarding business recovery:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/ -
Controls application
Answer: According to ISO 27001 requirements, the applicability of controls from Annex A section A.11 on your office will depend on whether your employee's laptops have access to any information you want to protect (either if the information is stored or processed onsite or in the cloud), and the results of risk assessment identify risks to your premises that should be treated (e.g., there is an unacceptable risk that someone invades your office and steals the notebooks).
These articles will provide you further explanation about physical and environmental security:
- Physical security in ISO 27001: How to protect th e secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
This material will also help you regarding Physical and environmental security:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Controlling customer data
Answer:
If by controlling CUSTOMER (DEBITOR) data you refer to data which relates to a company we can safely assume that this processing activity is out of the scope of the EU GDPR. However is the customer is a natural person (individual) or a sole trader then the EU GDPR would be applicable. -
Certifications for ISO 27001 experts
Answer: There are two ISO 27001 personal worldwide recognized certifications available, and both can help you support an ISO 27001 certification process:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process. For your stated purpose, this one would be more recommended.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provide more confidence to an organization for being certified).
- ISO 27001 Internal Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to perform audits only for their organizations.
These materials will help you:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Employee background check
Answer:
There is nothing wrong with performing a background check as long as the processing activity is lawful and proportionate.
So, if based on a risk assessment conducted the company, it results that some categories of employees or potential employees would need to be checked, you can do that providing you do the following :
- get the express consent of the potential employee and for the existing employees provide an adequate notice. The consent form template can be found in folder 4 of the EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ and the notice for employees can be found in folder 2.
- because this processing activity is quite intrusive (depen ding on the extent of the background check) and special categories of personal data (such as criminal records) might be processed, a DPIA would be required as well. You can find guidance on DPIAs in folder 5 of the EU GDPR implementation toolkit.