Thanks to the GDPR compliance audit, you will learn to what extent the organization meets the requirements of the GDPR and what actions you should take to fully comply with it.

Scope of audit in the formal and legal area

• Analysis of applicable policies and procedures for the processing personal data.
• Implementation of the rights of data subjects, among others in terms of: the right to access personal data, the right to rectify and delete data, the right to be forgotten, the right to limit processing, the right to transfer data, the right to object, the principles of automated decision making in individual cases.
• Analysis of personal data processing in relation to which the organization is a data controller, among others in terms of: lawfulness of processing, fulfillment of the information obligation for data subjects, regulation of entrusting data for processing, rules for transferring data to third countries or international organizations, taking into account data protection at the design stage and their default protection.
• Analysis of the processing of personal data, in relation to which the organization is a processor.

The unlimited reach of the Internet, as well as the global dispersion of online service providers, makes us lose control over our data. Ensuring the security of all information held by your company is a challenge that requires thoughtful action.

Scope of IT audit

• Verification of the applied mechanisms of access control to information systems.
• Analysis of the adequacy of the applied physical protections with particular emphasis on the server rooms, archives, HR department, IT department and accounting.
• Verification of the authorization management process.
• Verification of the backup copy management process.
• Examination of the security of computer stations, mobile devices, carriers and other equipment.
• Checking the communication security in the LAN/WAN network.
• Verification of the documentation of ICT and physical security.
• Checking the level of knowledge and awareness of the organization's employees.

Risk analysis (Article 32 of the GDPR) and data protection impact assessment data protection (Art. 35 of the GDPR) are the heart of the personal data protection system. Thanks to them, you will learn whether the security measures which have been applied are sufficient and what risks are generated by your business for people who have entrusted you with their personal data.

Scope of the risk analysis and data protection impact assessment

• By performing a risk analysis for the resources involved in your processing operations, you meet the technologically neutral requirements of the GDPR. In other words, you create something more than just "paper" security.
• Furthermore, we will assess your processes in terms of risks related with the processing of personal data. In relation to the processes which are associated with high risk, we will carry out DPIA.

Personal data protection documentation defines the principles according to which an organization manages the personal data. By providing employees with knowledge of the expected methods of processing personal data, it protects against threats arising from the ignorance or carelessness of the staff.

The processing procedures and data protection policies will include:

• personal data protection policy,
• IT resources management manual,
• procedure for managing data processing rights and registering these rights in the IT system,
• policies: data protection by design, data protection by default,
• breach management policy,
• procedure for conducting a data protection impact assessment (DPIA),
• procedure for the selection of a processor together with a model agreement on entrusting data processing,
• a register of processing operations and a register of all categories of activities.

During their designing an organization determines, among others, the purposes of the processing, the scope of data necessary to achieve them, the duration of processing, and provides the necessary information to data subjects in a clear and transparent way.

We will help you with process modeling, among others:

• define the appropriate legal basis for the processing,
• divide duties between the various co-administrators and prepare an appropriate agreement in this regard,
• prepare a consent clause for processing personal data,
• define the scope of personal data adequate for the purpose of processing,
• develop mechanisms for updating data,
• prepare clear information obligations for data subjects,
• define the correct processing time for personal data for a given process,
• enter into a secure and beneficial entrustment agreement for you.

Supervisions, consultation, monitoring, day-to-day in the processing of personal data.

• Monitoring of compliance with the GDPR, other Union or Member States' data protection laws and the controller's or processor's policies on the protection of personal data.
• Informing and advising the controller, the processor and employees who process personal data, about their obligations.
• Supporting you throughout the breach management process.
• Liaising with the supervisory authority and acting as the contact point on matters related to processing, including prior consultation.
• Data subjects may contact with the data protection officer on all matters related to the processing of their personal data and with implementing their rights under the GDPR.
• As part of the preparation for the audit of the President of UODO, we will conduct an IT and legal audit of the part of your organization that will be subject to the control.
• With the support of experienced lawyers, you will gain confidence and control over the correctness of the audit and support for your organization's staff.

Free forms of training

With ODO 24 e-learning, employers save hundreds of man-hours for their employees. The scope of the online training is tailored to the needs of employees on the given position. Employees get only the content that applies to them.

3 smart types of e-learning We are the only company in the market that offers three trainings to choose from: training "in a nutshell", extensive "meritum" and interactive "premium". They differ in the portion of knowledge and time needed to complete the training (respectively – 30, 45 and 60 min.).

Knowledge tests, certificates and authorization Each participant of the e-learning, after passing the test, receives a certificate confirming completion of the training and authorization to process personal data.