New data protection rules (Rules) have been issued in Poland which impose audit obligations on those companies which have appointed an ‘information security officer’. 

The Rules require that a company’s information security officer conducts both scheduled and unscheduled audits.  The unscheduled audits should take place after an information security officer receives notice of a data breach.

It is not clear whether the Rules impose obligations on companies to appoint an information security officer where they have not already done so.

A copy of the Rules is available here (Polish).

What action could be taken to manage risks that may arise from this development?

Companies should review their privacy and security processes to ensure that they are compliant with the Rules.