IT and Telecommunication

łącza

Logistics

terminal

Energy

wiatrak

Information security

telekomunikacja

Personal Data Protection audit

Service description:

We examine the areas where the Customer processes personal data, we assess implemented security measures and the legality of data processing, and identify the processes where personal data is collected.

Despite the amended Act on Personal Data Protection that came into force at the beginning of 2015, issues related to privacy protection still raise many doubts. Undoubtedly, apart from financial losses, the infringement of legal provisions related to personal data protection may give rise to consequences that are difficult to predict. These may be even more harmful as they involve loss of reputation of a company or local authority’s orders that severely restrict company’s current operations. Therefore, it is advisable to check to what extent legal requirements are fulfilled by a company.

The purpose of the audit is to see whether the mechanisms that ensure personal data protection as part of company processes comply with the Act on Personal Data Protection and relevant regulations.

The audit verifies the adopted security methods not only in terms of legal requirements but also whether they are in line with the good practices.

The audit is conducted in line with the audit guidelines on compliance that describes a model of integrated information security management system, in which one of the elements pertains to aspects related to personal data protection.

Our experience in IT consultancy, compliance and information security gives us a wider view of the many problems arising from personal data protection and allows us to recommend solutions for the Customer that ensure a higher organisational security level than that required by legal provisions for personal data protection. We see to it that recommendations presented by us correspond to the situation and organisation of the Customer.

How do you benefit?

  • Identification of risks related to information security.
  • Report of non-compliances together with recommendations to be implemented by the Customer.
  • Practical guidelines that correspond to your situation and character of your organisation.

Project examples:

Data protection compliance audit by a postal operator

At the request of the Customer, a leading postal operator that provides its services in multiple locations in Poland, we have audited whether all adopted IT systems comply with the legal requirements and ISO 27001.
At the first stage of the project, we reviewed the IT systems indicated by the Customer as systems that process personal data and determined the scope in which those systems comply with the Act on Personal Data Protection, implementation regulations, and ISO 27001.
The next step was to assess whether it would be possible to develop the IT systems which were found to have failed to meet the legal requirements. If it was technically feasible to expand the system, we indicated – on the basis of queries addressed to the producers of such systems – the time necessary for the removal of irregularities and the financial means that had to be incurred in order to adjust each system to the legal requirements

Data protection compliance audit by a capital group in the media sector

The Customer – a capital group which had been merged with one of the leading media groups on the Polish market, in which standards in processing and ensuring the security of personal data had been implemented. Our task was to adjust those newly admitted to the procedures applicable in the group of companies.
The first step of the audit was to identify the personal data sets and define the role of each company belonging to the capital group as a Personal Data Controller or an entity which processes personal data. We also analysed processes carried out jointly with respect to all companies, inter alia, HR and accounting processes, which was necessary to conclude contracts for entrusting personal data processing between the companies belonging to the group.
The second step was to analyse the degree to which each company fulfilled its obligations as part of the Personal Data Controller ensuing from the Act, and especially to what extent personal data is processed legally, which sets are registered, and which personal data is secure. On this basis, each company belonging to the group was provided with a list of irregularities that needed to be removed.

Ask for offer:

Daria Worgut-Jagnieża

22 537 50 57


linkedin

Google +

icon

Newsletter

icon

Subscribe to our newsletter and receive our publications for free.


linkedin

Linkedin