Personal data protection and RODO audit

RODO audits and implementation

RODO Audits

 

RODO audits are performed to verify the actual level of personal data protection and evaluate how an organization is prepared for changes that should be implemented according to General Data Protection Regulation (RODO/GDPR).

 

During the audit w will:

  • determine the information to which RODO regulations are applicable
  • determine the position of personal data processing bodies (controller, joint controller, processor, sub-processor)
  • verify the indications for personal data processing determined in RODO in terms of legality of all processes performed by customers on their daily basis routine
  • review the clauses of consent applied by customer
  • review the mandatory informative clauses applied by customer
  • analyze the contents of personal data processing agreements of entrust applied by customer
  • determine the procedures of third party’s rights execution (ie. data acces rights)
  • determine the procedures of controller/processor’s responsibilities (ie. notification about infringements)
  • analyze technical (IT-related, physical) and organizational measures applied by customer, dedicated to keep data secure, in terms of compliance to RODO regulations.

 

The final result of audit pre-implementation report, which identifies and describes inconsistencies (including law violations), provides proofs of the inconsistencies and recommendations how to eliminate them.

 

In addition, in the report we indicate what actions need to be taken to achieve compliance to RODO, in particular we will:

  • propose risk assessment methodology and perform risk assessment
  • evaluate whether data protection impact assessment is required and indicate how to handle this process if needed
  • determine the conditions of Data Protection Officer (IOD – Inspektor Danych Osobowych) designation if necessary
  • establish the customer’s area of responsibilities in accordance to RODO regulations
  • present our recommendations how to adapt IT environment to RODO requirements
  • prepare implementation schedule proposal

 

RODO Implementation

 

RODO implementation covers two steps:

  • data processing process adjustment
  • ICT environment adjustment

 

Within the data processing process adjustment, the customer will receive the documents covering the complex security policy (the final scope depends on the audit results and risk assessment), including:

  • risk assessment procedure
  • personal data protection impact assessment
  • risk handling plan
  • procedure of cooperation with third parties, including development of new draft of agreement of entrust of personal data processing and implementation of administrative solutions in order to demonstrate that the obligation of processor selection was fulfilled properly
  • record of personal data processing activities
  • procedure of cooperation with supervisory authority and reporting infringements
  • clauses dedicated to personal data collection and mandatory informative obligations
  • position and responsibilities of Data Protection Officer (IOD)
  • procedure for consideration of subject data requests directed to Data Protection Officer (IOD)
  • Policy for IT systems development process, that includes implementation of data protection solutions in design phase (privacy by design) and default data protection(privacy by default)
  • Prior consultation with President of Personal Data Protection Bureau (previously GIODO) when required
  • Selection of applicable transfer mechanisms in the event of personal data transfers to third countries or international organizations

 

For IT environment adjustment reasons, applicable procedures will be developed and provided. In particular procedures related to users management, as well as authorization for backup management and security issues handling

 

The subject service may be expanded by proposal to implement useful IT tools which would support conformity to RODO requirements in terms of IT security, especially:

  • data classification system
  • data leakage prevention system (DLP)
  • security information and event management platform (SIEM)
Contact
Michał Sztąberek
President of the board