Questions regarding GDPR

I would very much appreciate some clarifications of the above:

Are there any available GDPR certifications?

If you are looking for a certification of individuals, GDPR does not require any certification.
Even the DPO role does not require being in possession of a certification, yet DPO must have deep knowledge of GDPR and privacy regulations. 
In reference to companies, article 42 GDPR encourages the Member States to establish a data protection certification mechanism for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. 
There is plenty of courses in the market. Advisera also developed a free course where you can purchase access to the examinations and get a certificate. So if you are looking for a solution in order to certificate the process of your company as data controller or data processor you can look for these solutions on the market.
 

• Article 42 GDR: https://advisera.com/eugdpracademy/gdpr/certification/
• Check our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

How do I start with mapping my processing activities?

The first thing is to know your business. Think about:

- what data do you collect (i.e. name, surname, telephone numbers, IP address, physical address, pictures, health data, etc), 
- who collect them (i.e. administration, HR, management,) 
- why you collect them (i.e. provide a service or a product, video surveillance, security reason, public interests,) 
- how do you collect (i.e. do individuals provide data to you through a form, a contract, website, with/without consent)
- long do you store those data (the time which is necessary to provide the service, 1 hour, 1 year, 10 years, for a legislatively determined period)
- where do you store data (physical archives for paper documents, cloud service, internal servers)

You can find some useful information here:
- 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/
- 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

- In our Advisera GDPR Toolkit, there are Guidelines for Data Inventory and Processing Activities Mapping, here you can download a free demo in order to verify if it suits your business needs: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

 Is there any video surveillance policy available in the toolkits?

We did not include video surveillance policy in the toolkit because video surveillance is not directly regulated by GDPR, and most EU countries have their own rules. You should verify compliance with the internal rules of your country.
Most rules require to highlight security reasons for video surveillance, to avoid workers monitoring and public path.
They can require you to minimize the period you store images before overwriting them, to determine who can have access to images (you should set access procedures to those images) and the location where records are stored. Most Surveillance Authorities or Member States have set their specific requirements to comply with.
You can draft your own policy considering your country requirements and the limits set in GDPR as a data processing policy using the blank template from the GDPR Toolkit.

You can also schedule a call with Advisera's expert who can provide you with some guidelines on how to proceed with this document.
 

I am negotiating with a Data Processing Contract with an insurance company. Are these companies controllers or processors?

It depends if they process personal data on your behalf or not. 
Insurance companies usually are considered as data controllers because they determine the purposes and means of data processing on their own. 
However, if they can have direct access to your internal data (i.e. geolocalization data from security tools installed on board of your company car fleet) and process them on your behalf, by storing data in their servers, they can be considered data processor with reference to those data.

Here you can find some references referring to data controller and data processor:
- EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

How can I best present a privacy notice? Do clients need to sign the notice

Signature is a clear sign of knowledge yet it is not mandatory. GDPR only requires you to inform your customers on your data processing activity and collect their consent when required.
Consent can be acquired through signature but also orally or by a clear affirmative action (i.e. clicking on a flag boxes)
Therefore, you can present a privacy notice as a link in your email signature in order to make easy for them to be informed, you can attach a privacy notice to your contracts, you can also inform them via telephone and register their consent (if needed), most depends on your activity.

Here you can find some useful material to make a GDPR Privacy Notice:
- Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
- Article 13 GDPR https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/