RODO Changes to the rules on personal data protection


May 25, 2018 new regulations on personal data protection come into force in Poland. They are introduced in connection with the so-called. RODO, the European Data Protection Regulation. As a result, the legal framework for the functioning of many companies will change as they process their personal data. That's why it's time to start preparing for RODO. How?

How to prepare for RODO?

The company can prepare itself for RODO and ensure compliance with law when processing and collecting personal data. You can also hire a specialist for personal data protection.

Every company or organization should build its personal business profile, a personal data protection system. RODO deployment is a complex, multi-stage process that involves as determined by the data controller:

scope of work,
anticipated costs,
time of realization,
necessary resources.
A multi-stage process

Preparing your company for RODO includes several steps that make up a consistent process. In the first step, the entrepreneur, the data controller, should determine what personal data and for what purpose he processes - eg customer data, contractors, employees, etc. It is necessary to state whether they are only names, PESEL numbers, bank account numbers or other data.

It is necessary to establish that personal data of customers are collected and that data is collected in one database or in several separate ones. The administrator should determine whether the personal data is collected and processed in electronic or traditional paper form.

The second step is to establish a circle of people who have access to personal data. RODO regulations require each person processing personal data to have the appropriate authorization, taking into account the nature of the work and the desirability of granting access to particular categories of data. You also need to indicate who your employees have access to the data and determine their scope. Not all employees of an organization must have access to all data.

The third stage of the company's adaptation process to RODO is the evaluation of information systems in which personal data is processed. The system should be fully secure and must securely protect personal data against unauthorized access and interference. It is the responsibility of the data controller to implement IT management guidelines that address such issues as:

starting and ending with the IT system,
used methods and means of authentication.
 Anyone with access to corporate databases must have computers with a password of at least 8 characters.

 Your personal data protection system, according to the RODO, should ensure:


Accountability - any operation on personal data must be settled,
Security - against external attacks and loss, through regular backups,
Physical security - the security of computers and other devices on which personal data is processed.
The fourth step of adapting to RODO involves defining how personal data flows between data sets. Once all data flows have been defined, they should be described comprehensively, and a flow chart should be drawn up.

The fifth step concerns the identification of risks associated with data processing. RODO requires the administrator to assess the risks associated with the processing of personal data in the company, primarily regarding the possibility of unauthorized use by third parties. The administrator can audit the personal database security system independently or with external company services.

The sixth stage involves the preparation of personal data processing documents, together with an indication of all the rules involved.

RODO is a duty

It should be stressed that until the entry into force of the European Data Protection Regulation, any organization that collects and processes personal data (including customers and collaborators) must comply with the new RODO rules. If he does not do so, he faces financial penalties, negative legal and image consequences.

← Powrót

Do you have any question? Contact us!

* Required fields