Data protection concept / data protection management system
In times of the GDPR, selective data protection is no longer effective in order to fulfil all obligations arising from the GDPR (Accountability).
The sole appointment of a data protection officer therefore only fulfils a part of the requirements of the GDPR.
The supervisory authorities can also demand the submission of company-wide data protection concepts as part of the audits, which is why the implementation of a data protection management system is unavoidable.
Implementation of a data protection management system
Analysis of current data protection level
Auditing of the entire company with regard to:
Documentation and preparation of findings
- Actual workflows
- Existing work instructions, documentation, contracts
- Existing data protection processes
- List of processing activities
- Fulfilment of information duties
- Data protection agreements (DPA, Joint Controllership)
- Security of data-processing
Creation of an action plan
- List of all located deviations with risk assessment
- Conception of work packages prioritized according to risk and probability of occurrence
Once the work packages have been finalized, implementation will be driven forward in the individual specialized departments:
- Initial workshop with all specialized departments
- Creation of processing directories
- Determination of the required data protection agreements with service providers
- Fulfilment of information obligations
- Implementation of data protection processes (information, deletion, conduct in the event of a data breach)
- Data protection impact assessment
- Deletion concept
In addition, all employees are instructed in the data protection management system.
Documentation, regular auditing
Lawyer Michaela Berger, LL.M.
Specialist lawyer for IT law
certified data protection officer (TÜV Süd)
certified data protection auditor (TÜV Süd)