The implementation of the General Data Protection Regulation (GDPR) is not a reflection of the law itself, but rather an indication of the organisation's genuine commitment to building its own system for protecting personal data.
The implementation of RODO is mandatory for any organisation that processes personal data in connection with its activities. This includes businesses as well as public institutions, NGOs, medical facilities, accounting offices or online shops.
A data controller is obliged to implement compliance solutions if it processes data of employees, customers, contractors or website users. This obligation stems directly from the Data Protection Regulation and applies to both large organisations and small businesses.
In particular, implementation of RODO is necessary when an organisation:
Processes customer or employee data,
Carries out marketing activities,
Uses IT systems containing personal data,
Transfers data to external entities,
Carries out monitoring or other forms of supervision.
Detailed risk analysis for resources and processes.The relevant security in the IT infrastructure.The Commission shall adopt delegated acts in accordance with the opinion of the Standing Committee on Plants, Animals and Food.Fulfillment of the information obligation.Employee awareness - a responsible approach to existing procedures and responsibility for the security of processed data.Clever selection of processors and conclusion of data security agreements.Effective and efficient infringement management.Preparation of documentation describing the actual situation, rather than the 'greening' of the grass.The proper implementation of the GDPR requires an orderly process that includes both an analysis of the current state of the organisation and the implementation of appropriate procedures and documentation.
Stages of implementation of the GDPR
Preliminary audit and process identification
We analyse what personal data is being processed, who has access to it, and what the purposes and basis of the processing are.
Analysis of compliance with the General Data Protection Regulation (GDPR) requirements
We verify existing procedures, documentation and security measures, identifying areas that need to be updated.
Risk analysis and selection of security
We assess the risk of infringement of the rights and freedoms of data subjects and select appropriate organisational and technical measures.
Implementation of organisational procedures and solutions
We help implement procedures in practice and adapt the way data is processed to meet the requirements of the GDPR.
Staff training
We prepare staff for the proper processing of data and the implementation of the relevant procedures.
Support following implementation
We provide assistance with maintaining compliance, updating documentation and further developing the data protection system.
The RODO says: controller (business/decision maker), look at your organisation through the lens of the purposes for which you process personal data. These include recruitment, employment, accounting, marketing, sales, debt collection, etc.
A set of activities directed at achieving particular business objectives make up the processing of personal data. By identifying your processes, you can assess the compliance of your data processing with the RODO.
When implementing RODO, we look at processes through the lens of Murphy's Laws - we will assume that things will go 'as badly as possible'. We will determine if these risks are real? How can you guard against them? How can the risks be minimised?
Compliance audit.
Risk analysis, including workshops for resource owners.
Data Protection Impact Assessment (DPIA).
Adjustment of documentation (privacy policies, procedures, clauses and data processing agreements).
Implementation of technical and organisational measures.
Adjustment of the ICT environment.
Mapping and adjustment of business processes.
Training of employees and collaborators.
The implementation of the GDPR is not a one-off action but a process that requires constant maintenance and updating.
The data controller should regularly update the documentation, verify the processing activities and adapt the safeguards to changing conditions.
Post-implementation support may include:
Once the implementation process has been completed, the data controller shall receive complete documentation that meets the requirements of the GDPR and is adapted to the specificity of the organisation.
The scope of the documentation shall include, inter alia:
Data protection policy,
Record of data processing activities,
Procedure for managing data protection breaches,
Procedure for exercising the rights of data subjects,
Procedure for granting and managing authorisations,
Information clause templates,
Data retention procedures,
Procedures for cooperation with processors,
Risk analysis documentation,
DPIA documentation (if required).
Marcin Wieczorek
From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.
Magdalena Węglewska
For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.
Agnieszka Karłowicz
We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.
Tomasz Siwicki
For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.
The failure to implement RODO may lead to serious legal, financial and organisational consequences. The data controller is obliged to demonstrate compliance with the provisions of the data protection regulation.
Consequences may include:
Proper implementation of RODO helps to mitigate these risks and ensures the secure processing of personal data.
The time required to implement RODO depends on the size of the organisation, the number of processes and the degree of complexity of data processing activities.
Implementation can take from several weeks to several months. Factors affecting the timeframe include, among others:
Each implementation is tailored to the specifics of the data controller and includes all elements necessary to meet RODO requirements.
The cost of implementing RODO depends on many factors related to the scale and nature of data processing within the organisation.
The pricing is influenced by, among others:
Each implementation is priced individually to ensure compliance with the regulations and the effective implementation of appropriate safeguards.
In practice, everyone who conducts activities related to the processing of personal data should implement RODO. Implementing RODO means building an internal personal data protection system within an organisation, tailored to the profile of the activity carried out and containing the necessary procedures in this area. RODO sets out the general framework for personal data protection. It is the administrator's (entrepreneur's, decision‑maker's) task to create detailed, and above all effective, rules and tools for personal data protection that will ensure the security of information and the compliance of data processing with RODO. Key actions when implementing RODO are: determining the likelihood of threats, identifying ways to avoid them and how to minimise their risk.
In practice, under the regulation, anyone who carries out activity related, even peripherally, to the processing of personal data. The question should be phrased differently: what should my organisation implement? RODO recognises differences between “small” and “large” businesses, and therefore does not indicate universal safeguards. You must determine these yourself. We do this through a risk analysis and are happy to help you with it. It is therefore worth using the assistance of a Data Protection Officer (DPO).
Process identification is the determination of the purposes for which you process personal data. These include, for example: recruitment, employment, accounting, marketing, sales, debt collection, etc. A personal data processing process is a set of activities aimed at achieving particular business objectives. By identifying processes you can assess the compliance of data processing with the GDPR.
Key elements when implementing RODO are: a thorough risk analysis for assets and processes, appropriate safeguards in the IT infrastructure, a proper data protection impact assessment (DPIA), fulfilment of the information obligation, employee awareness, i.e. a responsible approach to applicable procedures and to responsibility for the security of processed data, proper selection of processors and entering into contracts that guarantee data security, effective and efficient management of breaches, preparation of documentation describing the factual state and appointment of a person responsible for maintaining the system. It is worth remembering that implementing RODO is a process requiring specialised knowledge and experience, as well as an individual approach to each organisation.
To ensure accountability, that is to demonstrate compliance with RODO, adapting policies and data processing procedures alone is not sufficient. You must also maintain various records and registers, including the record of processing activities, the register of personal data breaches and a register of requests concerning the exercise of the rights of data subjects. In the event of any complaint alleging that your organisation has breached RODO, you should be prepared to demonstrate that it is unfounded.
We provide support from external experts, objectivity in risk assessment and security design, and deliver a proven implementation methodology. The service package as part of RODO implementation includes: an opening audit, a risk analysis, including workshops for asset owners, a Data Protection Impact Assessment (DPIA), adaptation of documentation (policies, procedures, clauses and contracts) and the ICT environment, mapping and adaptation of business processes, and training for employees and collaborators. The time and cost of RODO implementation depend on the number of processes that need adapting, the nature of the activity and the size and territorial scope of the organisation. Depending on your needs and budget you may commission us to carry out a full RODO implementation, provide ongoing support with RODO implementation, deliver comprehensive RODO services, perform a RODO audit or offer consultancy on RODO implementation.
If your work becomes boring, repetitive and predictable, your employees will know who to turn to with questions regarding personal data protection, and the number of identified breaches will fall significantly, then you can assume that you have properly implemented RODO.
Engagement. Nothing more, nothing less. We have very good experts, a proven methodology, tools and an open mind, but it is your company that must provide the input – information and documents – on the basis of which we will do our work.
Sure — we prefer such solutions. Defining the budget shortens the time needed to develop an optimal solution for RODO support. Knowing the budget, we can advise the client on the optimal solution.
