Establishing a data protection management system which fully comply with GDPR principles poses a significant challenge for each organization. Complexity of the matter, lack of clear regulations in the national legislation regarding consistency with the GDPR regulation, broadening the legally binding definition of personal data, unformed jurisdiction, but most of all, the volume of personal data processed dictating technological and organizational adjustments make each organization face considerable challenges connected with the regulation implementation. However, in KPMG we believe that adjusting to the new rules is not only another legal obligation to fulfill- it is also an opportunity to strengthen the image of the company as a trusted and reliable partner that protects personal data of its clients, business partners and employees.
Our response to the question, “how does one prove GDPR compliance to the world” is:
Evaluation of compliance with GDPR principles An independent personal data security system assessment helps in verifying to what extent an organization has implemented the rules regarding processing, such as: lawfulness, fairness and transparency, purpose limitation, data minimization, storage limitation, integrity, confidentiality and accountability. Assessment of practical control mechanisms in business processes based on personal data, which operational effectiveness affects the level of processing and protecting personal data, provides confirmation of accuracy of implemented measures– and in case any flaws in the control system have been identified– guidelines for further improvements. Implementation of GDPR affects, in fact, every significant area of activity within an enterprise. In consequence, technological and organizational solutions adopted so far are being modified. As a part of implementation, data processing policies and procedures (in particular information clauses, records regarding the rights of entities) should be modified and the documents (e.g. records of processing activities), which has not previously existed should be created. Compliance assessment concentrates on three aspects: documentation, organization and technological solutions.
Compliance certification based on ISAE 3000 Voluntary certification is a process intended by a legislator in Recital 100 of GDPR. Since at present there are no clear guidelines concerning the certification mechanisms in Poland and Europe, we offer you a certificate based on the international standard on assurance engagements ISAE 3000. Certification based on ISAE 3000 demands that the organization introduces a standardized personal data processing procedures that allows, in a repeatable manner, to implement GDPR-imposed principles, such as: lawfulness, fairness and transparency, purpose limitation, integrity or accountability. All those main principles translate to practical control mechanisms in business processes based on personal data, which operational effectiveness affects the data manner of processing and protection level. Assurance by the independent auditor provided to you will confirm GDPR compliance both within the organization (employees data) and in external relations (client or contractor data).