Compliance (GDPR, NIS2, ZoKB, audits)

New duties
This is a significant tightening of regulation in the area of personal data processing. The new conditions within the organisation require not only the modification of existing processes related to processing, but also imply the mandatory implementation of a number of additional measures.

This European standard requires a very comprehensive approach to the whole issue of information protection, even though it only focuses on personal data. In the context of the automated processing of personal data, new obligations arise, leading to greater transparency, but above all security.

This can be achieved by adopting appropriate specific measures not only in the area of IT security, but also physical, administrative, organisational and procedural security. It is necessary to link all these areas comprehensively, so that the whole personal data protection operates as a unified system.

Adequate protection of personal data cannot be ensured without continuity between the governing documents, which are based on defined processes and procedures and are not supported by an appropriate organisational structure and properly applied technologies.

We offer a unique combination of knowledge in systematic information security management and deployment of appropriate security technologies. Using many years of experience in the field of information security and information technology, we offer a wide range of products and services that can attain the core part of the requirements of the European legislative standard GDPR.

Not all measures need to be handled by your own in-house resources. Specialized experts can help you with many of them. In numerous cases, such outsourcing is even more cost-effective and time saving. The complexity of GDPR requires a comprehensive approach to data protection management.

GDPR compliance analysis
The basis for the correct implementation of GDPR requirements is a detailed comparison of the current state of data protection with the requirements defined by the regulation. This is the only way to ensure effective implementation of all GDPR requirements. We will prepare a detailed analysis and recommend the appropriate procedure and scope of implementation.

Design and implementation of processes and methodologies
GDPR is based on the principles of "privacy by design" and "risk-based approach". This not only requires the implementation of new security processes and methodologies within your organisation, but will often have an impact, for example, within the architecture of information systems and applications. This includes in particular procedures relating to security incident reporting, information obligations or the right to erasure. We will design and implement processes and methodologies customized for your organization's environment.

Preparation of management documents
An essential part of data protection is appropriate governing documentation (policies, guidelines, etc.) that your organization uses to demonstrate, among other things, compliance with the GDPR requirements. We will draft or modify governing documents to the necessary extent to comply with GDPR requirements, taking into account your existing internal policies and processes.

Implementation of technical measures
A fundamental requirement of the GDPR is to ensure the protection of personal data, guaranteeing its confidentiality, availability and integrity. To do this, it is necessary to implement sufficient technical measures to secure them or to identify security breaches (Data Loss Prevention, Network Behaviour Analysis, SandBox, cryptographic tools, etc.). We will design and implement appropriate technical solutions according to your individual needs.

Data Protection Impact Assessment
Data Protection Impact Assessment is one of the basic tools to ensure high security of personal data in any handling of personal data, such as profiling, processing of sensitive data or implementation of monitoring of publicly accessible areas, etc. We will assess your organization's obligation to implement DPIA and, if this obligation arises, we will suggest an appropriate way to implement DPIA into your existing (e.g., project) methodologies. We will also arrange the actual processing of the specific DPIA analysis, including any consultation with the Data Protection Authority.

Data Protection Officer - DPO
One of the new requirements of the GDPR is the appointment of a Data Protection Officer for obliged entities. This role requires a person with sufficient experience and expertise in the field of data protection and it is therefore recognized that there is a shortage of such persons in the market. This role can additionally be outsourced. This form of service will ensure that all DPO's duties are carried out using our experienced and vetted consultants.

Implementation of GRC solutions
The GDPR brings many sub-obligations, especially for large organisations processing huge volumes of personal data. In such cases, GRC (Governance, Risk and Compliance) solutions can be an essential element to enable effective data protection management and GDPR compliance, including compliance monitoring. We will ensure the optimal design and implementation of a suitable GRC solution not only for required the needs of the GDPR. For this purpose, we have a team of experienced consultants.
 

The NIS2 Directive brings significant changes to the field of cyber security. Following the decision to implement the Directive into national law, the framework of obligations set out in the document is being transposed into national legislation through the new Cybersecurity Act and its decrees. These changes will impact not only organisations that already have to comply with the requirements of Act No. 181/2014 Coll. on Cyber Security and the related Decree No. 82/2018 Coll., but also many other entities that have not yet been included in the regulation and have not had to comply with any obligations in this area.

The new Cybersecurity Act should enter into force in October 2024. The Act will provide a one-year transition period for adaptation to the new requirements and their gradual implementation. Compliance with selected obligations will be required from the second half of 2024, while compliance with the remaining obligations will not be required until the second half of 2025. Despite the one-year transition period, now is a good time to start the preparatory steps leading to a functional cybersecurity governance process, which we will be happy to help you put in place.

Analysis of the current state of information security
We will analyze the current state of your organization with respect to cybersecurity. In particular, we will include an assessment of your information security management system, security documentation, asset management, risk management, vendor management, human resource management, change management and access control. As part of the analysis, we also assess cybersecurity event and incident management and business continuity management.

Risk Analysis
We offer risk analysis to identify and assess potential threats and vulnerabilities associated with your organization's assets. You will gain a clear understanding of the risks that could compromise your security.

Preparation or review of security documentation
We will draft or revise documents with respect to your existing internal policies. Specifically, we can help you create an incident management plan, recovery plan, impact analysis, security user guide, etc.

Training
To increase the security awareness of your employees (from regular users, security administrators to senior management), we offer training tailored to the needs of your organization. In addition to face-to-face training, training can also be delivered via e-learning using entertaining video courses, culminating in a knowledge test.

Penetration testing
We test your systems' ability to withstand cyber attacks. In the report, we will describe the weak points and suggest appropriate remedial measures to prevent real attacks.

Strengthening IT infrastructure security
We can help you identify weaknesses in the technical security of your internal network, implement security technologies such as firewalls or EDR solutions that can identify, monitor and respond to suspicious activity on endpoint devices.