Expert articles, step-by-step guides and regulatory news on GDPR and data protection. We cover what actually affects the daily work of DPOs, controllers and compliance professionals — from the record of processing activities and risk assessments to legislative changes and supervisory authority decisions.
Whistleblowers GDPR compliance is an area where data protection obligations and reporting system requirements overlap directly. In Poland, the Act on the Protection of Whistleblowers entered into force on 25 September 2024, with external reporting channels becoming...
Choosing the right lawful basis GDPR requires for each processing activity is one of the first decisions every data controller must make. One of the first and most important questions that arises when implementing GDPR is: what legal basis are we using to process this...
Employees in most organisations are already using AI tools. Generative assistants, chatbots built on large language models, writing and document summarisation tools — artificial intelligence has entered everyday work so quickly that data protection procedures and...
A cookie consent banner is one of those website elements that business owners tend to treat as a formality. They copy a ready-made template, click publish, and consider the matter closed. In practice, it is one of the areas where data protection authorities most...
Hiring Employees? Your GDPR Recruitment Process Might Be Non-Compliant Many companies do not realise that their GDPR recruitment process may already expose them to risk. A candidate submits a CV, HR reviews it, and the document is shared internally. While...
GDPR implementation in a small business tends to feel more complicated than it actually is. The regulation itself is not the barrier — the barrier is the lack of a clear starting point. Many organisations approach GDPR as a one-time project: they download templates,...
One of the most overlooked questions in GDPR compliance is also one of the most fundamental: who in your organisation actually has access to personal data, and why? In many organisations the answer is unclear. Access is granted when someone joins, rarely reviewed, and...
A Data Processing Agreement is one of the most common — and most misunderstood — elements of GDPR. Most organisations know they "should have one". But far fewer understand when it is actually required, what it must contain, and how it differs from simply accepting a...
The most common GDPR mistakes in organisations do not result from a lack of documentation. They result from documentation that exists on paper but is not reflected in how the organisation actually operates. Supervisory authorities do not inspect what is written in...
Data subject rights are one of the most practical aspects of GDPR — and one of the most operationally challenging. Requests do not arrive as formal legal documents. They arrive as ordinary emails, contact form submissions, customer service messages, sometimes even...
One of the most frequently asked questions in GDPR compliance is deceptively simple: how long can we keep personal data? The answer is equally simple in principle — only as long as necessary for the purpose for which it was collected. In practice, however, this...
GDPR risk assessment is one of those obligations that exists in the documentation of almost every organisation — but in practice tends to be performed once, without updates and without any real connection to actual data processing activities. The result is a document...
The record of processing activities is one of the first documents requested during a supervisory authority inspection. In theory, the obligation flows directly from Article 30 GDPR — in practice, many organisations maintain it in a way that falls short of...
Less than two months after its debut, the iGDPR system is available in the English version. English version of the system provides the same list of functionalities as in the Polish version and it is also available in three plans.