New data protection rules in Poland impose audit obligations on data controllers who have appointed information security officers and those information security officers themselves. However, it is unclear whether data controllers who have not appointed information security officers fall under the new rules or if companies must appoint an information security officer.

New data protection rules in Poland impose audit obligations on data controllers who have appointed information security officers and those information security officers themselves. However, it is unclear whether data controllers who have not appointed information security officers fall under the new rules or if companies must appoint an information security officer.

Under the new rules, an information security officer must conduct both scheduled audits and unscheduled audits. The scheduled audits must follow an audit plan covering at least one quarter of a year and no more than one year, and at least one audit must be conducted during said time frame. The audit plan must enumerate the date of the audit, subject matter, and scope of activities conducted during the audit.

The unscheduled audits must be performed promptly when an information security officer receives notice of a personal data breach or if there is reasonable suspicion of a data breach. Furthermore, the Inspector General for the Protection of Personal Data (GIODO), Poland’s data protection authority, may carry out its own inspection or request that the information security officer carry out a similar audit. Once the audit is complete, the information security officer must prepare a report including information detailed in the plan, activities undertaken by the information security officer, a list of individuals covered by the audit, and any remedial action taken to comply with Polish law.

TIP: Companies operating in Poland should think about their privacy and security infrastructure and keep in mind these audit obligations for information security officers.