Personal data protection

We examine the areas in which the Customer processes personal data, we assess relevant security measures and the legality of activities, and identify the processes for which personal data is collected.

Despite the amended Act on Personal Data Protection that came into force at the beginning of 2015, issues related to privacy protection still raise many doubts. Undoubtedly, apart from financial losses, the infringement of legal provisions related to personal data protection may give rise to consequences that are difficult to predict. These may be even more harmful as they involve loss of reputation of a company or specific orders that severely restrict its current operations. Therefore, it is advisable to check to what extent legal requirements are observed by a given organisation.

The purpose of the audit is to see whether the mechanisms that ensure personal data protection as part of company processes comply with the Act on Personal Data Protection and implementation regulations.

The audit verifies the adopted security methods not only in terms of legal requirements but also whether they are in line with the good practices indicated in PN-ISO/IEC 17799:2003.

The audit is conducted in line with the audit guidelines on compliance with BS 7799-2 (PN-I-07799-2:2005) that describes a model integrated information security management system, in which one of the elements pertains to aspects related to personal data protection.

Our experience in IT consultancy, compliance and information security gives us a wider view of the many problems arising from personal data protection and allows us to recommend solutions for the Customer that ensure a higher organisational security level than that required by legal provisions for personal data protection. We see to it that recommendations presented by us correspond to the situation and organisation of the Customer.

Co zyskujesz?

  • Identification of risks related to information security.
  • Discovery of irregularities and recovery propositions.
  • Practical recommendations that correspond to your situation and organisation.

Przykładowe realizacje:

Audit of PDP compliance by a postal operator

At the request of the Customer, a leading postal operator that provides its services in multiple locations in Poland, we have audited whether all adopted IT systems comply with the legal requirements and ISO 27001.
At the first stage of the project, we reviewed the IT systems indicated by the Customer as systems that process personal data and determined the scope in which those systems comply with the Act on Personal Data Protection, implementation regulations, and ISO 27001.
The next step was to assess whether it would be possible to develop the IT systems which were found to have failed to meet the legal requirements. If it was technically feasible to expand the system, we indicated – on the basis of queries addressed to the producers of such systems – the time necessary for the removal of irregularities and the financial means that had to be incurred in order to adjust each system to the legal requirements
Audit of PDP compliance by a capital group in the media sector

The Customer – a capital group which had been merged with one of the leading media groups on the Polish market, in which standards in processing and ensuring the security of personal data had been implemented. Our task was to adjust those newly admitted to the procedures applicable in the group of companies.
The first step of the audit was to identify the personal data sets and define the role of each company belonging to the capital group as a Personal Data Controller or an entity which processes personal data. We also analysed processes carried out jointly with respect to all companies, inter alia, HR and accounting processes, which was necessary to conclude contracts for entrusting personal data processing between the companies belonging to the group.
The second step was to analyse the degree to which each company fulfilled its obligations as part of the Personal Data Controller ensuing from the Act, and especially to what extent personal data is processed legally, which sets are registered, and which personal data is secure. On this basis, each company belonging to the group was provided with a list of irregularities that needed to be removed.