The article analyses the issues related to the implementation of organisational responsibilities by personal data controllers and essential services operators relating to the use of risk-based approach, continuous improvement and privacy by design, building internal organisational structures responsible for the security management system of processed information, as well as the role of strategic and operational documentation, the use of self-regulation and standardisation in order to increase the effectiveness of law enforcement. The high dynamics of the development of information and communication technologies and business processes related to their use requires the application of a coherent and interdisciplinary approach to ensuring personal data protection and cybersecurity, which gives synergy effect. Flexibility of applied security solutions, allowing for optimal adaptation to continuous changes in the economic and legal environment, is also important factor. The primary objective of the article is to analyse the consistency and effectiveness of Polish and EU law regulations in the area of ensuring information security of data processing processes, with particular emphasis on the role of organisational safeguards.