Please see my latest publications
Economic obligations under the GDPR
The GDPR Regulation requires entrepreneurs to guarantee an appropriate level of security by ensuring the confidentiality, integrity and availability of personal data.
Personal data must be processed in a manner ensuring their appropriate security, including, inter alia, protection against unauthorized or unlawful processing
and accidental loss, destruction or damage,
by appropriate technical means
or organizational. Any information clauses
and consent clauses should be formulated in such a way that
so that everyone can read them sufficiently.
Each of the personal data administrators (entrepreneurs)
• keep and update a register of data processing activities
• maintain and update a register of processors
(the so-called processor register)
• analyze the risk of personal data breach on an ongoing basis
as part of your own micro / small enterprise
• authorize employees or associates
for data processing (model authorization to process personal data).
Year of publication: 2021
Professional and reliable audit
I carry out a professional and reliable audit of information security / personal data protection from the formal, legal, organizational and technical side.
As part of the audit, I analyze
all areas of the company’s activity related to the processing of personal data, assessment of business processes in the organization, security policy, procedures and instructions, contracts with key business partners, IT systems, ICT infrastructure, physical and environmental security. As part of the audit, I perform a specialist security assessment, develop a security policy for collecting, processing and sharing information, minimize the risks associated with disclosing data to unauthorized persons, raise employees’ awareness of information security / personal data protection.
Information security audit
First of all, the information security audit is to determine
the status of currently used security measures applied within the organization.
At this stage, they are verified. Appropriate improvements are then implemented.
The personal data protection audit
is closely related to the verification of documentation and procedures required
by the provisions on the protection of personal data - it is the basis for the preparation of a report
containing information describing the facts, as well as conclusions containing recommendations
that should be introduced by the organization as soon as possible, that the processing of personal data
takes place in accordance with the provisions relating to this process.
I participate as an expert in research and development projects aimed at implementing innovations improving the competitive position of the organization and increasing the efficiency of management by implementing solutions that improve the management process, improving work organization, and increasing the quality of products / services.
I conduct trainings for information security administrators / data protection officers, personal data protection representatives, heads of IT, marketing, HR, or accounting and financial departments, whose daily professional duties will be burdened with a number of new, obligatory tasks related to the introduction of the GDPR in a few months and a completely new law on data protection.
Personal Data Administrators are required to
implement specific procedures and solutions, as well as organizational and technical measures that are to secure the highest degree of personal data processing by their organization. At the same time, the GDPR Regulation does not provide any specific solutions on how to do this, and does not indicate even minimum technical standards aimed at securing personal data. Meanwhile, the responsibility for non-compliance by the data controllers with the provisions of the Regulation is very high, as under the new provisions an administrative fine of up to EUR 20 million may be imposed on them.
Any entity that processes personal data on the territory of the EU may be punished with such a penalty, i.e. not only large economic entities, but also small and medium-sized organizations, including sole proprietorships.
dr inż. Grażyna Paulina Wójcik
I encourage you to take part in the training in which I understand the changes in the protection of personal data in an understandable way, in accordance with the General Data Protection Regulation GDPR.
What is GDPR ?
I carry out an information security / personal data protection audit from the formal and legal side, organizational and technical.
From May 25, 2018, new provisions on the protection of personal data apply - General Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (GDPR), according to which the function of expert support for data controllers and processors rests with the Data Protection Officer. The task of Data Protection Officers (DPOs) - as previously Information Security Administrators (ABI) - is to act for data processing compliant with data protection regulations, both in public administration and in the private sector.
The appointment of the Data Protection Officer in accordance with the new regulations becomes in many cases an obligation, and not the right of the data administrator.
General Data Protection Regulation GDPR in Art. 37 section 1 provides for the obligation to appoint a Data Protection Officer for administrators and processors when:
- 1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- 2. (b) the main activity of the administrator or processor consists of processing operations which, by their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale;
- 3. the main activity of the administrator or processor consists in the large-scale processing of special categories of personal data referred to in Art. 9 sec. 1, as well as personal data regarding convictions and violations of the law referred to in art. 10.
It is a good practice to appoint a Data Protection Officer by private entities performing tasks in the public interest or exercising public authority. In this case, the activities of the Data Protection Officer should cover all processing operations carried out by the entity, including those not related to tasks carried out in the public interest.
The tasks of the Data Protection Officer (DPO) in the general regulation on data protection of the GDPR have been formulated in a general manner, without indicating the mode and deadlines for their implementation. This is a significant difference in relation to the previous act on the protection of personal data and its executive acts as regards the tasks of the Information Security Administrator (ISA).
The basic tasks of the Data Protection Officer, resulting from the General Data Protection Regulation GDPR, include, among others:
1) informing the administrator, processor and employees who process personal data about their obligations under the General Data Protection Regulation GDPR and other EU or Member State data protection legislation and advising them on this matter;
2) monitoring compliance with the General Data Protection Regulation GDPR, other Union or Member State data protection legislation and the policies of the administrator or processor in the field of personal data protection, including segregation of duties, awareness-raising activities, training of staff involved in processing operations and related audits;
3) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
4) cooperation with the supervisory authority;
5) to act as the contact point for the supervisory authority on issues related to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, on any other matter;
6) acting as a contact point for data subjects in all matters related to the processing of their personal data and the exercise of their rights under this Regulation;
7) keeping a register of activities or a register of categories of activities.
The Data Protection Inspector advises the Personal Data Administrator, among others:
- - which areas should be subject to internal or external audit;
- - what training for employees or managers responsible for data processing should be provided;
- - for which processing operations more time and resources should be allocated.