We perform a legal due diligence of personal data processed by companies and organisations as well as an analysis of IT security and assess whether the practice of personal data processing complies with the General Data Protection Regulation (GDPR) and other laws.
Data protection audit encompasses the following tasks:
- Analysis of data flows;
- Preparing a register for records of processing activities;
- Drafting the internal rules for data processing and other required internal procedures;
- Drawing up agreements on data processing and transfer;
- Preparing notices to data subjects;
- Data protection impact assessment;
- Assessment of impact on data subject’s interests, fundamental rights and freedoms;
- Drawing conclusions and offering recommendations as to compliance with the GDPR.
Analysis of IT data security encompasses the following tasks:
- assessment of requirements for data security in relation to services, products and infrastructure, an audit of application of technical and organisational measures set by the laws;
- analysis of the software and hardware compliance with the requirement of privacy by design & privacy by default;
- checking of IT inventory in the company;
- compiling a list of critical IT systems of the company based on their importance;
- checking compliance with IT security requirements;
- assessment of the infrastructure of the internal and external network of the company;
- assessment of the process of incident monitoring, identification and de-escalation in the company;
- assessment of ensuring data subjects’ rights in the software being developed or used;
- drawing up internal procedures for IT systems in the company;
- provision of recommendations;
- outlining a plan for following the recommendations, and supervising its implementation;
- an additional external and internal IT penetration test can be carried out in the company to assess the security level of its IT infrastructure.