Identification of critical data in IT resources and regain the control over them.
Audit of data flow, implemented procedures and processes in the organization. Assessment of their compliance in terms of data protection principles, information security and business secrets.
Implementation of changes to documentation, processes and information access.
Monitoring by performing the functions of Data Protection Officer (DPO Outsourcing) or Information Security Coordinator.
The implementation of the provisions of Directive (EU) 2019/1937 will not only mean new employers’ obligations resulting from the new regulations, but will also involve the need for a legal audit of all business operations of the entity obliged to adopt the new whistleblower protection procedures. Apart from sector-specific requirements applicable in the industry the entrepreneur operates in, the most common requirements for entrepreneurs include:
What do we do?
We provide company’s employees and contractors with a tool for reporting potential breaches, which ensures anonymous reporting of breaches, as well as confidentiality and security of the processed data.
The channel available for reporting potential breaches is independent and autonomous, it ensure the completeness, integrity and confidentiality of information.
What do we?
The Whistleblower Protection Directive requires the entrepreneur to inform the reporting person about the receipt of the report, the method of consideration and any further procedures. In the event of a breach, the entrepreneur is obliged to take follow-up measures, such as referral to a competent state authority or instituting disciplinary proceedings against the person responsible for the breach. An additional obligation is to keep records of each report and to manage the relationship with the reporting person.
What do we do?
Compliance Audit includes the most important business domains, susceptible to significant risks, including punitive liability and reputational losses.
The scope of Compliance Audit includes:
Preparation and presentation of the results of Audyt Compliance.
Implementation of the Compliance Management System (CMS), meeting the requirements of the standards:
Developing appropriate and comprehensive internal regulations
describing Compliance Management System (CMS), including Compliance Policy, Code of Ethics, procedure of managing an interest conflict, procedure of infringement reporting, procedure of risk assessment.
Implementation of internal regulations describing Compliance Management System (CMS).
Preparing and conducting training for employees on enforced Compliance Management System (CMS).
Monitoring of Compliance Management System (CMS) through performing the function of Compliance Officer.
Supervision and support in fulfilling the obligations provided in internal regulations describing Compliance Management System (CMS), including support in proceedings concerning reported irregularities within the framework of the infringement reporting process (so called: ‘whistleblowing’).
Review, maintenance and updating of implemented internal regulations describing Compliance Management System (CMS).
Representing the company in contact with law enforcement authorities and other authorised third parties.
audits and implementations
it
consulting projects
trained
people
satisfied
clients
years
of experience
IT Kontrakt is an international company providing body leasing services in IT industry. We provide DPO post outsourcing, taking full responsibility for processing of the data.
As part of cooperation we report for protection of recruitment process in terms of personal data and for the further process of processing data of around 1500 employees delegated to work in several hundred companies and institutions.
A specific task was to develop a GDPR compliant process of transferring personal data within the IT Contract Group to a branch outside the European Union, in Singapore.
Oney Polska offers consumer loans granted in cooperation with Partners.
We acted as the Data Protection Officer, in accordance with art. Art. 39 section 1 and 38 paragraph 4 GDPR, our tasks included:
a) informing the administrator and employees who process personal data about the obligations incumbent on them under the Regulation,
b) monitoring compliance with this Regulation,
c) assessment of the effects on data protection and monitoring its implementation in accordance with Article 35
d) acting as a contact point for the President of the Office for Personal Data Protection,
e) acting as a contact point for data subjects.
Rankomat.pl is the largest benchmarking engine for assurance offers in Poland and broker selling these services. We are responsible for the whole domain of personal data security, performing the function of Data Protection Officer for three subsidiaries. Within our cooperation we have handled over 1000 queries from data subjects. We run regular call center training on data protection procedures and valid conversation scripts.
We performed DPIA (Data Protection Impact Assessment) and deployed incident management procedures (e.g. data leakage, cyber attacks). In cooperation with the majority of insurance companies on the Polish market (PZU, AXA, Allianz, Aviva, Generali, Hestia and others) we agree on an ongoing basis the standards of personal data securities in communication between them and broker, i.e. Rankomat.pl companies.
We have implemented for Idea Bank the principles of monitoring IT systems using SIEM (Security Information and Event Management). Thanks to our analysis of critical events, the bank gained the possibility to use advanced IBM QRadar software for in-depth analysis of potential security incidents and creating detailed reports on IT infrastructure protection. We have also developed appropriate procedures and mechanisms for responding in the event of an incident or suspicion.
In close cooperation with experts on the Idea Bank side, we conducted security classification and ensured adjustment of resources to maintain continuity of critical elements of IT systems.
AXA is one of the leading international companies from insurance sector, operating in Poland in the area of life insurance, property insurance, motor insurance, as well as pension funds and investments.
We have conducted a comprehensive review of procedures, instructions and other documents related to data security. We have also updated all IT security processes to comply with ISO 27001 and interal AXA Group standards. In the project, we took into account the specific conditions of local business processes, thank to which the procedures were additionally optimised and adapted to the needs of AXA in Poland.
We have conducted personal data processing audit, its compliance with GDPR and implementing regulations. We deployed necessary policies and security procedures, and have registered the data sets for the emerging bank.
We were also responsible for implementing Recommendation D, in which the Polish Financial Supervision Authority imposes special obligations on financial institutions regarding the management of risks related to IT systems and information processing. The project was audited by the independent consulting company Deloitte, and its implementation was rated 99/100.
The Management Board of Urban Transport in Warsaw (ZTM Warszawa) handles over 1,2 milliard passenger transports annually, which translates directly into scale and range of processes related to personal data processing – including city cards, contacts with passengers, complaints, CCTV monitoring and employment.
We conducted an audit of personal data processing in compliance with the Act of Personal Data Protection and executive regulations, as well as an audit of new regulations related to introduction of GDPR. Based on the results of audit, we prepared recommendations and a plan for implementation of necessary changes, together with an estimate of the costs of such an investment.
Ze względu na skalę oraz rodzaj przetwarzanych danych osobowych Ministerstwo Inwestycji i Rozwoju jest zobowiązane do cyklicznej analizy DPIA (Data Protection Impact Assesment). Na zlecenie Departamentu Informatyki opracowaliśmy autorską metodykę do wykonania analizy ryzyka bezpieczeństwa danych osobowych oraz przeprowadziliśmy warsztaty, jak zastosować tę metodykę w praktyce.
Wyposażyliśmy klienta w kompletne narzędzia i know-how, dzięki którym coroczna analiza DPIA może być wykonana samodzielnie, bez zlecania kosztownej usługi zewnętrznej firmie doradczej.
The Paged Group is an industrial and investment holding company operating in various industries, such as wood industry, furniture production, logistics, automotive, real estate.
For the Paged Group, we conducted an audit of compliance with RODO, developed recommendations and implemented a comprehensive implementation of recommendations for the security of personal data protection. Currently, we are performing the function of Data Protection Inspector for 10 companies belonging to the group.
Work Service is the largest HR company in Central and Eastern Europe. It works with 3,000 companies in 17 countries, helping more than 300,000 people find a job each year.
Processing personal data on such a large scale requires not only ensuring an adequate level of security, but also adapting procedures and policies to the requirements of basic business processes. For the Work Service Group, we have developed the complete documentation required for the implementation of GDPR.
ManpowerGroup is one of the largest employment agencies in Poland and part of an international US-based group, specialised in HR consulting with offices in 80 countries around the world.
We have developed GDPR procedures such as data storage, third-party security, data transfer, PrivacyByDesign-PrivacyByDefault, data subject rights, incident management and more. In the IT area, we were responsible for preparing data security procedures, including information classification policy and Business Continuity Planning (BCP) procedure.
The project implemented for Chojna Commune in Zachodniopomorskie Voivodeship allowed for further extension of M3M competences in the field of cooperation with public administration units. The specificity of the project was the need to take into account different types of entities processing personal data – from the Municipal Office, through the municipal kindergarten, municipal services, to the community culture center and community self-help center.
We implemented the Information Security Management System (ISMS) for the Chojna Commune and developed a methodology for estimating and dealing with the risk of personal data security, including the data processed in the IT systems of the Chojna Municipal Office.
The Group of Powszechny Zakład Ubezpieczeń is one of the largest financial institutions in Poland and Central and Eastern Europe.
Cooperation with this client required exceptional competence from M3M, because the scale and complexity of its operations increases the exposure of the organization to potential threats related to the continuity of IT systems and unauthorized access to data. For PZU, we have prepared IT procedures such as vulnerability management for critical systems and rules for protecting IT systems against malware (antivirus protection management).
We have conducted a complex compliance audit and adjusted business processes to GDPR requirements. We developed necessary policies, documents and procedures. We prepared the organization for risk management in regards to loss of privacy (Privacy Impact Assesment) as well as change management and projects in the context of data protection (Privacy by Design). We also conducted a serires of trainings for several hundred people taking part in data processing.
A specific challenge was a precise mapping of all the processes and data sets in an extensive and dispersed structure of the State Forests. It includes the general directorate, 17 regional directorates, over 20 other organizational units and 430 forest districts.
We have conducted personal data processing audit, its compliance with GDPR and implementing regulations. We deployed necessary policies and security procedures, and have registered the data sets for the emerging bank.
We were also responsible for implementing Recommendation D, in which the Polish Financial Supervision Authority imposes special obligations on financial institutions regarding the management of risks related to IT systems and information processing. The project was audited by the independent consulting company Deloitte, and its implementation was rated 99/100.
Effective protection of your business is possible thanks to the combination
of legal and IT competences
CEO
An expert associated with the IT industry since 2002, a graduate of the Polish-Japanese Institute of Information Technology, Military University of Technology and the Polish Academy of Sciences. Selected specialist in the field of information and personal data security, risk management, changes in business processes and implementation of IT systems. He gained experience by implementing key projects at KPMG, Citibank and Orange Polska.
We believe that a comprehensive understanding of our clients’ business allows us to provide better solutions for security and process optimization in the area of personal data protection and IT. That is why we have created an elite team that combines broad legal and IT competences with the experience of the world’s largest consulting companies. Thanks to this, we can design and implement solutions that are effective, efficient and adapted to the realities and current challenges of each organization.
Customer Service Director
Legal advisor, legislator, doctoral student of law of the Polish Academy of Sciences, with over 10 years of experience in the Office of the Inspector General for Personal Data. Personally participated in the legislative work on the GDPR, co-creating the provisions and implementing regulations on behalf of the European Union and Poland. He specializes in the right to privacy and personal data protection, taking into account the special provisions of medical, banking, insurance and telecommunications law.
The law should be applied with understanding for business conditions and organizational processes. That is why we treat each project individually and prepare a tailor-made solution. Thanks to experience and many years of practice, our activities are able to protect our client’s business against possible consequences on the grounds of disciplinary, administrative or even criminal proceedings.
