GDPR – requirements implementation and audit
Information Security Management System
Who should implement the Personal Data Security Policy in accordance with the GDPR requirements?
Any entity that processes personal data!
Personal data should be understood (quoting from regulation 2016/679:
“ personal data ” means information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, the economic, cultural or social identity of a natural person;
“ processing ” means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using , disclosing by sending, distributing or otherwise sharing, adjusting or combining, limiting, deleting or destroying.
How to implement GDPR requirements?
The personal data security policy should be implemented in accordance with the requirements of GDPR 2016/679!
Our Institute guarantees that the certification audit will be successfully passed in Poland!
How much does GDPR cost?
The implementation of the Personal Data Security Policy in accordance with GDPR 2016/679 is a cost similar to the implementation of the ISO / IEC 27001 information security management system.
The total costs of implementing the GDPR include: the cost of implementing the Personal Data Security Policy and the costs of adapting the personal data processing infrastructure.
Benefits of GDPR implementation:
Avoidance of high financial penalties to be imposed on Administrators!
Quoting after the regulation:
- Violations of the regulations relating to the following matters are subject to, in accordance with para. 2 an administrative fine of up to EUR 10,000,000 , and in the case of an enterprise – up to 2% of its total annual worldwide turnover from the previous year working capital, where the higher amount applies:
- a) the obligations of the controller and processor pursuant to Art. 8, 11, 25-39 and 42 and 43;
- b) the obligations of the certification body referred to in Art. 42 and 43;
- (c) the obligations of the monitor pursuant to Art. 41 sec. 4;
- Violations of the regulations relating to the following matters are subject to, pursuant to para. 2 an administrative fine of up to 20,000,000 , and in the case of an enterprise – up to 4% of its total annual worldwide turnover from the previous year working capital, where the higher amount applies:
- a) the basic principles of processing, including consent conditions, as referred to in Art. 5, 6, 7 and 9;
- b) the rights of data subjects pursuant to Art. 12-22;
- c) the transfer of personal data to a recipient in a third country or an international organization as referred to in Art. 44-49;
- (d) any obligations under the law of a Member State adopted under Chapter IX;
- (e) non-compliance with an order, a temporary or definitive limitation of processing or the suspension of data flows by the supervisory authority pursuant to Art. 58 sec. 2 or failure to provide access in violation of Art. 58 sec. 1.
- Failure to comply with an order issued by a supervisory authority pursuant to Art. 58 sec. 2 is subject to paragraph. 2 of this article an administrative fine of up to 20,000,000 , and in the case of an enterprise – up to 4% of its total annual worldwide turnover from for the previous financial year, whichever is the higher.
- Art. 50. 1. The public entities referred to in Art. 9 points 8 – 14 of the Act of 27 August 2009 on public finances (Journal of Laws of 2016, item 1870, as amended) the President of the Office may impose, by way of a decision, administrative fines in the amount of up to PLN 100,000 .