GDPR Audit

We verify compliance with the GDPR

Why a GDPR compliance audit?

The audit is needed in order to have, in the event of an inspection, confirmation that an external auditor has performed the compliance review of the organizational and technical measures used to protect data.

Find out if you are correctly fulfilling your basic data protection obligations.

GDPR audit and penetration testing

We conduct penetration tests, which we often perform in conjunction with the GDPR audit. Thanks to the tests, you will find out about places that may be a source of data leakage (breach).

Avoid penalties by removing weaknesses and implementing effective data protection solutions.

GDPR audit and social engineering tests

We perform social engineering tests to reveal the weaknesses of your employees. Order us social engineering tests related to GDPR audit and take care of data security.

Teach people to protect information with particular emphasis on personal information.

Legal grounds and transparency of personal data processing

We develop a register of processing activities that is required for all public entities.

Organizations employing at least 250 employees or processing high-risk data (medical data, CV, data on people with disabilities, related to social assistance) are required to maintain an up-to-date and a detailed list of your data processing activities and to prepare to submit this list to regulators upon request. The best way to demonstrate GDPR compliance is a Personal Data Impact Assessment (DPIA). Organizations with fewer than 250 employees should also conduct an assessment as this will facilitate compliance with other GDPR requirements. As part of the study, we also evaluate the organizational and technical measures taken to protect the data.

The processing of personal data is compliant with the GDPR only if it can be justified by one of the six conditions listed in Art. 6 or in art. 7-11 regarding children and special categories of personal data. We investigate and document the legal basis.

We examine the legitimacy and necessity of processing based on the consent of a natural person. 

If the legal basis is Art. 6 sec. 1 lit. f "legitimate interests" we study the Privacy Impact Assessment.

We verify that you correctly inform people about how and for what purpose you collect personal data: how the data is processed , who has access to them and how do you secure them.

We create documentation on the information obligation to present all elements in a concise, transparent, understandable and easily accessible form, using clear and simple language, in particular for any information specifically targeted at the child.

Data security from the organizational and technical side

  • We verify compliance with the principles of data protection at the design stage (privacy by design) and privacy by default.
  • We examine the state of implementation of technical and organizational measures to protect not only personal data.
  • We verify whether you examine its impact on data protection before starting any activity.
  • We make sure that the processing of personal data complies with the data protection principles described in Art. 5. Technical measures include encryption, secure transmission, e.g. ePUAP, and organizational measures include limiting the amount of personal data collected or deleting data that you no longer need. We check if you and T your employees are aware of the data protection principle.
  • Security is not only technical elements, but also an effective and implementable information security policy and a personal data protection policy in the form of a set of procedures, instructions and recommendations aimed at systematizing data processing processes.
  • The documentation we present is understandable and legible for employees.
  • It also protects in the event of an external inspection and enables settlement in the event of an inspection of compliance with the GDPR.
We verify and advise on how to implement encryption, anonymization and processes limiting the possibility of data breach by leakage, destruction, unauthorized access or editing.

We verify and assess the effects of processing on personal data that affect the restriction or violation of the rights and freedoms of natural persons.

This mainly applies to data processing processes in which information about health, religion, genetic data is processed, but also where the number of proof or PESEL is processed.

Security management and accountability

We check who in the organization and on what basis has been appointed to act as the person responsible for compliance with the GDPR.

It is an important part of the accountability and security process in design.

We check by making an inventory with whom and how personal data processing agreements have been signed. An important element is the correctness of the content of the contract so that it guarantees the Administrator compliance with the GDPR. We also provide contract templates.

We examine what measures and to what extent the Administrator uses to protect data.

We verify their effectiveness and credibility from the technical and organizational side.

When the entity has implemented a security policy (PBI, ISMS, PBDO), we verify whether it is understandable and whether it functions in practice, so that there are no discrepancies and ambiguities.

Very often, during audits, we encounter huge discrepancies between documentation and reality. Equally often we see that documentation is treated only as a formal requirement. By checking the facts, we protect clients against the allegation of lack of integrity to data protection and consequences in action.

Comply with privacy rights

We verify how you fulfill the right of persons whose data you process to access their data, what personal data you have about them and how you use them.

We check how you fulfill your right to be informed for how long you plan to process (store) personal data and what your right to do so.

We verify that personal data is up-to-date and correct as well as the possibility of updating personal data, with particular emphasis on IT systems.

The data should be as up-to-date as possible so that their processing does not adversely affect the processing.

We investigate how and who automatically or semi-automatically processes personal data. We also verify how the data stored in the cloud is processed along with the verification of the place of their processing.