What kind of documentation must be in every company from 25/05/2018/ RODO
The above does not mean that from 25/05/2018 security policy, instructions for managing the IT system used to process personal data, or records of persons authorized to process data, will not be able to be used. However, in order for these documents to continue to be used, they will require verification and introduction of relevant changes to them in order to meet the requirements of the RODO, i.e. so that they create a proper and adequate to the risk analysis protection of personal data. Of course, there will also be a need to analyze the processing of personal data in your company and inventory of the above-mentioned data. It should be remembered that after the entry into force of the RODO, given organization will not meet statutory requirements if it uses documents that are unsuitable for its individual characteristics and do not respond to the risks related to the processing of personal data by this organization.
In addition, new documents will have to be prepared, so far not required by law, including the register of personal data processing activities (Article 30 of the RODO). This register should be ready as of 25/05/2018. It should be remembered that the data registers required by 25.05.2018 on the basis of the actof 29 August 1997 on Personal Data Protection will not automatically become the above. registers of personal data processing activities referred to in the RODO. It has already been emphasized that the register of personal data processing activities should be a wider scope document, for the reason that it should cover all personal data processing processes that occur with a given personal data administrator.
Thus, even before 25/05/2018, each company should at least:
- Analyze the scope of the company’s operations in terms of the processing of personal data in order to determine the final structure of documentation, which will have to be prepared by 25/05/2018. In this respect, cooperation of lawyers, IT department and all persons supervising the processing of personal data, in particular HR department, will be necessary.
- Carry out an analysis of the documentation already held by the company regarding personal data and their protection.
- Prepare changes to existing documents indicated in point 2, based on the assessment of risks associated with the processing of personal data.
- Prepare new missing documents.