General Data Protection Regulation (GDPR)

Processing of personal data according to the 2018 changes of the EU legislation.

GDPR has been the biggest shake-up in personal data protection over the last 20 years

The General Data Protection Regulation (GDPR) is binding and applicable directly to all entities processing personal data. Therefore, new rules has to be adopted by all businesses processing personal data in the European Union. The regulation replaced the Polish Personal Data Protection Act.  

Companies had time to implement the requirements imposed by the regulation until May 25th 2018. Right now, entrepreneurs must care for the ongoing compliance with the regulation since it is a continuous process, not a one-off activity.

The breach of the regulation can result in financial penalties up to 20 million EUR or 4% of the global turnover

The biggest changes introduced by the GDPR

Implementation of the GDPR requirements has reshaped the approach to personal data protection in organizations. New requirements include the necessity for performing risk assessment in relation to personal data processing, adjustment of documentation and procedures to new regulation and accounting for wide spectrum of data subjects’ rights (people to whom the processed data apply). 

Data controllers must be prepared to apply new or extended requirements, such as: 

  • keeping record of processing activities;
  • taking into account data protection at the design phase (Privacy by Design);
  • using default data processing protection (Privacy by Default);
  • carrying out Data Protection Impact Assessment (DPIA);
  • managing rights of data subjects, including right of access by the data subject, request of rectification or erasure of personal data or restriction of processing , right to restriction of processing, right to object, or right to withdraw consent to processing;
  • managing incidents related to breaches in personal data protection.

How do we support your company in the area of the GDPR? 

GDPR implementation in the organization

  • Inventory of personal data processing processes 
  • Gap analysis
  • Risk analysis and Data Protection Impact Assessment (DPIA)
  • Preparation of documents, procedures, analyses 
  • IT/SEC adaptation, i.a. by development of documentation for data processing and organizational and technical measures for personal data protection  

Post-implementation audit 

  • Analysis of the GDPR implementation methodology 
  • Check of completeness of records of processing activities and records of all categories of processing activities
  • Review of business processes for data processing security
  • Review of organization maturity in terms of the GDPR compliance 

Transborder transfers

  • Identification of areas where personal data are processed outside the EEA
  • Development of rules and requirements for secure data transfer outside the EEA  
  • Drafting contractual clauses and other important documents to ensure the full transfer compliance with the GDPR


Maintaining compliance with the GDPR 

  • Permanent system of internal controls in the GDPR context
  • Risk radar for the Management Board
  • Periodic post-implementation audits 
  • Support for the Data Protection Officer 
  • Support during exercising the data subjects rights
  • Vendor’s verification and third party risk management
  • Impact analysis of new activities, processes
  • Update of documents, procedures
  • Privacy by design for new business solutions
  • Data Lifecycle Management 
  • Reconfiguration/ improvement of the existing IT security solutions
  • Analysis of validity related to implementation of new IT security solutions
  • Awareness raising – trainings
  • Support during Supervisory Authority controls 


Security incidents

  • Pro-active incident management 
  • Analysis of vulnerability to incidents and examining the effectiveness of security (STRIKE) 
  • PwC as Managed Security Service Provider (MSSP) Security Operations Center
  • Legal and information security support, investigation services in breach response
  • Support in communication with the Supervisory Authority and data subjects


GDPR E-learning 

Comprehensive online GDPR and data security training for your Company in order to build and increase the awareness about the regulation requirements. Our e-learning will give your employees not only theoretical legal knowledge, but also practical skills necessary for work and secure personal data handling.

Interactive GDPR e-learning...

...based on gamification and micro-tests, covers the following areas:

  • Legal: supports the correct diagnosis of personal data processing and indicates the main processing obligations in accordance with the GDPR requirements.
  • Organizational and process: using practical examples, it describes good and bad practices in organization of processes and working environment, indicating the best practices of employees and employers in personal data protection.
  • Technological/Cybersecurity: shows how use of the office devices and software can contribute to the GDPR breach, what precautions should be taken to minimise the risk of such occurrences. It also recommends methods to reduce the risk of data leakage and theft with use of systems, IT applications or social media, indicating technical measures that can strengthen the data security when using the Internet.

Our GDPR training has the following distinctive features:

  • Legible, aesthetic and intuitive interface
  • Practical examples and exercises speaking to employees’ imagination that can easily be related to everyday activities in most of the companies
  • Authentic market data (e.g. Eurostat) to help understand the scale and character of challenges in the area of personal data protection 
  • Use of gamification and interactive tasks to involve the participants
  • Form of the e-learning and its content works excellent both in small companies and large corporations.

Additional information

The training is available in Polish. Depending on individual preferences and learning process, concluding the training and taking the test will take 1-2 hours. Each employee in your company who handles personal data on a daily basis, should take the training at least once.

The training is accessible from an Internet browser with the use of e-learning platform, either provided by PwC or already used by the client, depending on the selected variant. Number of access to the training is individually determined by each client.  Final costs of the training therefore depends on the number of purchased accesses.

Who does the GDPR apply to?

Who does the GDPR
apply to?

all entrepreneurs who process personal data in the European Union. 

What should you do after the GDPR came into force?

What should you do after the GDPR came into force?

continuously care for maintaining compliance with the regulations on data protection 

What penalties does the GDPR impose?

What penalties does the GDPR impose?

up to 20 million EUR or 4% of the company's global turnover 

Contact us

Michał Mastalerz

Michał Mastalerz

Country Managing Partner of PwC in Poland, PwC Poland

Marcin Makusak

Marcin Makusak

Partner, PwC Poland

Tel: +48 502 184 718

Paulina Komorowska-Mrozik

Paulina Komorowska-Mrozik

Counsel, Head of IP / IT, Data and Consumer, Co-head of Competition, attorney-at-law, PwC Legal, PwC Poland

Tel: +48 519 504 777

Follow us