PERN
Aim: audit of the personal data retention management process
We partnered with PERN to run an audit of selected IT and OT systems in order to verify GDPR compliance of their business processes. To this end, we reviewed and assessed their organisational and legal procedures, e.g. in terms of the lawful processing and retention of personal data, as well as creating backups for systems selected in the course of the audit.
Results
Based on the results of the audit, we prepared a number of recommendations, including two concepts for the implementation of an automatic personal data retention process in the company’s IT and OT systems.
PKP ENERGETYKA Capital Group
Aim: DPO outsourcing / security
We act as the Data Protection Officer for companies in the PKP Energetyka Capital Group. We also offer advice on matters related to technical measures, including IT security measures, which safeguard data processed by the companies in the group.
Result
Our analytical, advisory and conceptual work allowed the companies to streamline personal data processing in their business operations. In addition, through educational activities, we raised employees’ awareness of the importance attached to data processing and the associated responsibility.
Aim: data retention / security
We carried out an automation, identification, location-finding and classification process in selected data assets of the companies in the group. Data assets also included personal data subject to obligatory retention.
Result
Thanks to a modern operating model, based on our proprietary methodology, we detected redundant data processed in company assets, ensured the restriction of processing and data minimisation process, which had an impact on the cost aspect of IT solutions applied. Consequently, we lowered the risk of potential personal data breaches to an acceptable minimum.
AVENGA GROUP
Aim: DPO outsourcing / Security
We hold the function of Data Protection Officer for companies in the Avenga Group – an international supplier of body leasing services in the IT sector – with more than 5000 employees working in distributed structure of several hundred businesses and institutions. Our activities allowed us to take responsibility of the entire personal data protection process, also concentrating on multi-layered aspects of data processing on a global scale.
Result
Taking oversight of the data protection process in the Avenga Group, we optimized it and made it more consistent. Thanks to insights and recommendation from audit operations, we contributed to the implementation of a holistic approach to the performance of tasks arising from the procedures in place by creating a mutually complimentary and comprehensive personal data protection management system.
RANKOMAT GROUP
Aim: DPO outsourcing / security
A leading insurance and finance comparison website (e.g. transport, property, travel, life insurance), part of the Bauer Media Group, entrusted us with the function of Data Protection Officer and information security consultant. As part of our cooperation, we have focused on maintaining highest standards of the processes we were entrusted with, as well as raising awareness of the importance and responsibility of participants operating according to the requirements of a regulated market.
Result
Our work with the companies in the Rankomat Group involved an innovative approach in meeting requirements for a personal data protection management system and our application of proprietary methods of operation allowed us to optimise the process, which, in turn, influenced its implementation in practical and functional terms.
Aim: data processing minimisation / security
Through the use of certified technical solutions, supported by M3M’s proprietary methodology, we carried out a data identification, location and classification procedure for selected business processes, especially with regard to personal data subject to obligatory retention, referring to practical compliance with data processing adequacy and minimisation.
Result
Taking advantage of state-of-the-art solutions supporting the automation of the data retention process, powered by M3M’s proprietary methodology, we ensured the Rankomat Group’s compliance with the principles of data processing adequacy and minimisation, which, in consequence, besides security of business operations, guaranteed taking control over data flow, as well as positively impacting the cost of the IT solutions applied in data collection.
EVELINE COSMETICS
Aim: DPO outsourcing
We cooperate with Poland’s biggest manufacturer and exporter of cosmetics as their Data Protection Officer and provide advisory and consulting services in the area of compliance risk. Moreover, we offer advice on matters related to technical measures, in particular IT security measures, safeguarding data processed by the company on a global scale.
Result
Tapping into the knowledge of a team of seasoned experts, we implemented and ensured the fulfilment of high standards for safeguarding data processed in the company. In addition, by consistently following the designed strategy, we reached the point where risk-free business operations as part of the so-called “daily routine” are possible.
YAWAL GROUP
Aim: DPO outsourcing
We were approached by Poland’s leading manufacturers and suppliers of architectural aluminium profiles with a request to design and implement a personal data protection management system in companies from the Yawal Group. Upon successful completion of this part of the project, we were appointed their Data Protection Officer. Regardless of our involvement in the data protection area, we support the group in the modelling and development of technical measures for information security purposes and, by performing regular risk analyses, we ensure compliance of business activities with all requirements and market standards.
Result
Preceded by a number of multi-dimensional auditing tasks, the project allowed us to capture the subject of data protection in the context of the Yawal Group’s business, and periodic cascading of expertise and our efforts to educate employees have effectively helped enhance and maintain high level of data security in the group’s companies.
SEALED AIR
Aim: DPO outsourcing
Sealed Air’s vision is to create a better way of life, so the overarching aim of the project involving the implementation of a data protection system was to provide an end-to-end, rational solution which will seamlessly integrate with sequentially performed business activities. A positive consequence of the project completed by M3M, which was rated high in an external audit, was M3M’s appointment as the company’s Data Protection Officer, advisor and consultant in the area of compliance risk.
Result
We designed and implemented a universal personal data protection management system in the context of potential risk for the data processed as part of ongoing business processes. By periodically monitoring the process, we are able to model it so as to maintain demanding standards of safeguarding data processed in the company as well as the comfort of doing business safely.
GEIS
Aim: DPO outsourcing
Cooperation with this international logistics company bore fruit in M3M’s multi-dimensional involvement in advisory and consulting functions in areas such as compliance, operational risk and, due to our appointment as Data Protection Officer, taking care of managing the global process of personal data protection. As part of many years of cooperation, we focus on maintaining top standards for entrusted processes as well as (by periodical analyses and educational activities) on promoting stakeholder responsibility based on latest trends in security and changing market requirements.
Result
Applying our unique approach to cooperation and fulfilment of requirements set for the data protection system, we managed to simplify and optimise the processes with which we were entrusted. Ultimately, it proved beneficial for streamlining the client’s business operations in pragmatical, practical and cost-related terms.
DBK GROUP
Aim: DPO outsourcing
We started our cooperation with Poland’s biggest supplier of products and services for the TSL sector by conducting a detailed audit of the data protection system already in place. Actionable insights and innovative, business-friendly approach to the performance of post-audit recommendation led to further cooperation in the area of personal data protection, including M3M’s appointment as Data Protection Officer for all companies belonging to the DBK Group, providing them with compliance risk, training and educational services, as well as ensuring data protection in the area of collaboration with third parties, in line with our expertise and competences granted.
Result
We implemented and continue to maintain the personal data protection process on the required level. By leveraging many years of experience and a wealth of expertise, we managed to develop the progressive functional structure of the data protection process, which, along with monitoring, proves beneficial not only for our area of responsibility but mostly for the client’s trouble-free business growth.
DUSSMANN
Aim: DPO outsourcing
As part of our cooperation with this global facility management specialist, we have focused on tasks pertaining to the function of Data Protection Officer. We put greatest emphasis on meeting regulatory and contractual requirements defined for controller/processor relations. In addition, we perform advisory and consulting functions in the compliance risk area, taking into account business expectations and principles based on rules derived from global performance standards.
Result
We updated the company’s personal data protection process. Using many years of experience and the professional approach of our team of experts, we created space for the client to pursue business objective as we took responsibility for data processing security architecture. Our work, combined with a consistently followed security strategy, significantly contributed to our client meeting the exacting standards of data asset security.
IDEA BANK
Aim: cybersecurity
In cooperation with IDEA BANK, we implemented a set of effective IT system monitoring principles with the aid of Security Information and Event Management. M3M designed detailed procedures for responding to data security threats, according to which the Bank began to use advanced threat detection software to analyse potential security incidents (IBM QRadar).
Results
Based on proprietary logic matrices, we successfully completed a security system classification project, adapting the systems, depending on the priority assigned, to the required model in terms of regulatory expectations defining the process of ensuring the continuity of critical system components and the Bank’s IT applications.
AXA
Aim: security
Providing services for a leading international insurance company, we ran a comprehensive pre-certification audit of their ISO/IEC 27001 information security management system.
Results
Having completed the audit, we used our experts’ knowledge and experience to update the client’s data security management processes (infosec) and build resilience in the company, which lead to AXA receiving ISO/IEC 27001 certification and a validation of the compliance of their approach to information security with the standard.
SYGMA BANK
Aim: personal data processing audit
In our audit at SYGMA BANK, we focused on the verification of the designed personal data protection process in terms of the fulfilment of regulatory and recommended requirements. Moreover, we planned, prepared and implemented necessary policies and safety procedures meeting requirements specified by Poland’s Financial Supervision Authority (KNF): Recommendation D – concerning IT and ITC environment security management – and Recommendation M – concerning operational risk management.
Result
The effectiveness of out project at SYGMA BANK was confirmed in the course of an independent, third-party audit carried out by a team of auditors from Deloitte, an international company offering audit and advisory services (one of the so-called “Big Four” audit firms). In this respect, SYGMA BANK received a very high rating of 99/100.
ZTM WARSZAWA
Aim: personal data processing audit
In ZTM Warszawa (Warsaw Municipal Transport Services), with an annual passenger traffic of 1.2 billion passengers, we ran a comprehensive audit of the implemented data protection services, with particular emphasis on data collected from city cards, complaints, CCTV video surveillance, employment and cooperation with third parties. The results of the audit allowed us to formulate suggestions and recommendations, draw up a relevant action plan for their implementation, as well as to prepare a feasibility study (also in terms of costs) with regard to actions required to streamline the process.
Results
The accuracy of suggestions and recommendations we offered in the course of the audit, as well as conclusions drawn from the feasibility study, led to the implementation of a comprehensive data protection model successfully used by ZTM Warszawa in their current business operations while satisfying high standards of technical and organisational security of personal data processed.
MINISTRY OF INVESTMENT AND DEVELOPMENT
Aim: data protection impact assessment
In accordance with the Announcement of the President of Data Protection Authority, but primarily due to data processing operations, the Ministry of Investment and Development is obliged to assess data protection impact in order to estimate the likelihood of violations of data subjects’ rights and freedoms in connection with the processing of their personal data. At the start of our cooperation with the Ministry of Investment and Development, we concentrated on running a DPIA (Data Protection Impact Assessment) and the implementation of a proprietary methodology of periodical risk analysis for anticipated personal data processing.
Results
On the completion of the project, the final component of which was a series of dedicated workshop meetings, we provided the Ministry of Investment and Development with universal, user-friendly tools for conducting effective risk analysis and detailed guidelines for performing data protection impact assessments independently.
THUMOS GROUP
Aim: security / personal data processing audit / DPO outsourcing
Thumos Group is an industrial and investment holding operating in various sectors, such as timber industry, furniture manufacturing, logistics, automotive, real property, for which we ran an extended audit of the data protection process for over a dozen businesses. Actionable conclusions and innovative, business-friendly approach to the performance of post-audit recommendation led to further cooperation in the area of personal data protection, including M3M’s appointment as Data Protection Officer.
Result
We implemented and continue to maintain the personal data protection process on the required level. By leveraging many years of experience and a wealth of expertise, we managed to develop the progressive functional structure of the data protection process, which, along with monitoring, proves beneficial not only in our area of responsibility but, more importantly, in terms of our client’s trouble-free business growth.
WORKS SERVICE
Aim: security
Managing a project for the implementation of a personal data protection system in one of East-Central Europe’s biggest body leasing companies, we prioritized the necessity of providing high level of security of large-scale data processing as well as (based on the insight gained from the audit) remodelling and adjusting data security policies and procedures to specific business requirements.
Results
The result of the work performed by M3M’s team of experts was the creation of an optimised personal data protection process together with a detailed projection of systematic activities designed in the new personal data protection strategy adopted by the company.
MANPOWER GROUP
Aim: security / BCP (Business Continuity Plan)
One of Poland’s largest body leasing companies, a division of the multinational Manpower Group, invited us to design and describe information security processes, including processes related to personal data security. In addition, in line with the assumptions of the project, we reviewed and updated IT security processes as well as the BCP (Business Continuity Plan).
Results
Thanks our holistic approach to planned activities, the project for the Manpower Group culminated with the implementation of procedures detailing information security, including personal data security, as well as IT security and the BCP, which proved beneficial for streamlining business operations both in professional and economic terms.
LASY PAŃSTWOWE
Aim: security / personal data processing audit
The biggest challenge in our project for Dyrekcja Generalna Lasów Państwowych (General Directorate of State Forests), comprising auditing, implementation and education phases, was to precisely map their business processes within a vast, country-wide organisational network in the context of personal data processing operations. The main objective of our activities, aside from the need to meet formal requirements, was the necessity to ensure high level of data processing security, which was accomplished by the design and implementation of a data protection process based on pro-business data protection policies and procedures as well as the implementation of an educational programme.
Results
Upon the completion of the project, we provided the General Directorate of State Forests with an optimised personal data protection process, covering all necessary policies and procedures, a plan of periodical activities (including educational activities) in the adopted personal data protection strategy, as well as raising awareness of the significance and responsibility associated with the processing of employees’ personal data.