Integration of data protection into digital business processes.

Operationalization of requirements

Operationalization of requirements is an important prerequisite for insuring long-term data protection. This means that legal regulations are reflected in procedures and processes in the context of the actual business model, and roles and responsibilities are clearly defined. Data protection management is consequently a management and control function.

Effective data protection management

We support you in minimizing compliance risks using our expertise in current management practices. This applies to data processing in compliance with data protection regulations, insuring the rights of data subjects, or dealing with personal data breaches. Our services include design, setup, assessment, and continuous improvement of effective data protection management. We develop practical solutions in collaboration with you.

Examples are:

• Creation and implementation of guidelines and work instructions for data protection management
• Introduction of company-wide standards for data protection management
• Design and implementation of data protection governance structures
• Development and implementation of processes that conform with data protection regulations
• Execution of processes to ensure the rights of data subjects.
• Introduction of processes for handling IT incidents and data breaches
• Setup of risk management for data protection compliance

Support for strategic alignment

There is no ‘one-size-fits-all’ approach for a data protection management system. Rather a DPMS should be aligned with your existing business model. Where possible, existing structures and management systems should be used. For example you may want to benefit from an already existing quality management or an information management system.
We support you in the strategic alignment as well as design and implementation of a DPMS. We assist you by means of our knowledge and experience from our involvement in the development of ISO standards for data protection management systems such as ISO/IEC 27701 as an extension of ISO/IEC 27001 and 27002 for data protection management.

Examples of our consultancy activities:

• Setup of a group-wide data protection management system based on ISO/IEC 27701
• Workshops for strategic alignment of a DPMS, in particular as an extension to an existing information security management system (ISMS)
• Design of a DPMS and of the operational and organizational structure by means of guidelines and processes
• Implementation of the General Data Protection Regulation by way of a data protection management project and setup of a DPMS
• Comparison of various national and international standards (including ISO with BSI and NIST)

High demands in terms of accountability

The GDPR lays down more stringent requirements in terms of the burden of proof on the part of data controllers. Mandatory prerequisites for this are clearly defined processes with roles and responsibilities that must be implemented, ‘lived’, and documented. Similary, additional appropriate technical and organizational measures required to avoid risks for the data subject, must be selected, implemented, ‘lived’, and documented. In addition, regular checks must be carried out as to whether these are effective.

Our expertise and experience enable us to support you in the design, implementation, assessment, and continuous improvement of control and monitoring of compliance with data protection regulations. This also includes carrying out actual audits.

Examples of our consultancy capabilities:

• Development of a control and monitoring concept
• Setup of a group-wide data protection audit program
• Verification of the implementation of data protection requirements (e.g. as a readiness assessment)
• Assisting the internal audit department in performing data protection audits
• Checking the effectiveness of technical and organizational measures
• Concept review of fulfillment of burden of proof