HomeIco

Home
Deutsch|English
Services breadcrumb-icon Audit Services breadcrumb-icon IT-Audit, IT-Assurance, IT-Advisory breadcrumb-icon IT-Advisory breadcrumb-icon Data protection & GDPR consulting

Data protection & GDPR consulting

PrintMailRate-it

​​​​​​​Data protection and the General Data Protection Regulation (GDPR) have played a major role in the everyday lives of companies and their customers, either directly or indirectly, for over 6 years. For companies, because they must fulfil extensive notification and documentation obligations, and for customers, because they want and need to rely on the secure handling of their data. At the same time, there are increasing reports of serious data breaches, hacker attacks and spam attacks on all users, which, according to the BSI, caused damage of around EUR 200 billion in Germany alone in 2023 - and the trend is rising. 

Greater security for company data and personal data requires a common and integrated view of data protection and IT security. 

Even though the GDPR affects all forms of processing of personal (or obtainable) data, the focus is on IT-related uses. Depending on the size of the company, the tasks of providing and operating IT infrastructures and specialized departments are transferred to specific areas. In addition, legal or regulatory requirements are set for the structure and operation of IT and for the organisation of functional areas, which can also only be guaranteed with the support of IT.

 

Unfortunately, the separate creation and maintenance of such regulatory frameworks is still common in many companies - often due to the timing of individual implementation deadlines. This means that the companies concerned are missing out on the important benefits of aligning their organisation with these requirements:​

  • statutory requirements are increasingly based on the management systems model, i.e. the concept of PDCA cycles, which call for regular, systematic further development of the organisation
  • the requirements for verifiability and documentation of decisions are a central component for management to minimize any liability in the event of deficits and errors and to demonstrate professionalism in dealing with risks
  • All of this also presupposes that preventive measures for risk identification and avoidance are pursued in accordance with a systematic procedure ("risk management")
  • and that the employees involved are trained in possible risks, avoidance strategies and their solutions.



The GDPR therefore also requires that the principles are reliably implemented and function effectively and efficiently in the interests of the company (the controller) and the data subjects. 
Regular monitoring by a neutral body should be considered to uncover silo thinking and undesirable developments or deficits in good time, before a customer or the data protection authority does.​​

CIRCLE OF LIFE: PDCA CYCLE FOR YOUR DATA PROTECTION ORGANISATION AND YOUR DATA PROTECTION MANAGEMENT SYSTEM (DSMS)
It is essential for the management in its role as responsible person to know the performance status and effectiveness of the structures achieved to date for the management of data protection requirements. The regular report from the data protection officer (DPO) or internal data protection coordinators is only sufficient if they are sufficiently critical of any shortcomings (and are allowed to do so) and can take a comparative look at the status of their own industry or, if necessary, at international or technology-related influences. 

We support these steps towards greater security with the following customized services:

  • Data protection status audit based on the IDW PH 9.860.1 audit aid and/or internal audit specifications / routines
  • Action planning derived from this with prioritisation, scheduling and resource planning and, if desired, monitoring of implementation
  • Regular information and discussion events on current topics from the data protection landscape or specialized topics from the circle of our clients
  • Hotline functions for data protection and related information security topics and associated detailed areas (BCM, certifications, etc.) 
  • Development of models / concepts for linking and integrating the management systems involved (ISMS, BCM, risk management, ICS)

DATA PROTECTION - THE NEVER-ENDING STORY
Admittedly, the legal and technical framework conditions are constantly evolving and repeatedly present companies with major challenges as to how the content can now be implemented. In these situations, it is always helpful to think outside the box and not reinvent the wheel alone (and possibly anew).

Even 6 years after the introduction of the GDPR, many companies are still only relying on rudimentary processes and rules from the early days, which do not (or no longer) meet today's standards and thus provoke dissatisfaction with customers or the risk of fines. The solution lies in integrating IT tools that support multiple objectives. 

You should therefore make sure you have controls in place for the most common gaps and sources of error: 

  • the record of processing activities ("VVT") is incomplete or not up to date 
  • the list of processing activities is not complete because new processing activities have been introduced (e.g. use of M365, whistleblower hotline, AI-based tools, etc.)
  • the legally required components are poorly documented (threshold analyses, data protection impact assessment where applicable, DPIA, erasure concepts, etc.)
  • the company organisation and responsibilities have evolved (relocations, spin-offs, holding models, IT infrastructures, suppliers and processors, etc.)
  • the obligation as a controller to regularly monitor partners with data processing agreements (DPAs) for compliance with contractual obligations (security TOMs, notification of process changes, employee training, etc.).
  • Comply with own training and reporting obligations in a timely manner (data subject rights, adaptation of documents to comply with the information obligation under Art. 13 / 14 GDPR, updating of data protection information on websites regarding legal adjustments, etc.).
  • Review of existing risk assessments for the TOMs, the validity of statements in older DPIA reports, as well as interfaces to IT security and the information security management system (ISMS)

Phasenmodell einfügen

WHY RÖDL&PARTNER?

Our Services

Contact

Contact Person Picture

Falk Hofmann

Partner

+49 30 810 795 84

Send inquiry

Contact Person Picture

Werner Merl

Associate Partner

+49 6196 7611 4711

Send inquiry
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu