Data protection management

Solutions using artificial intelligence are exciting, topical and bring with them many opportunities and risks. It is essential that these AI solutions are used in compliance with data protection regulations. For example, once AI systems have learnt from data, it is difficult or even impossible to delete data from the system. It is therefore imperative to take data protection into account as early as the AI design stage.

We support you in identifying and minimising data protection risks when using AI.

In order to be able to implement the requirements of data protection and the GDPR in a compliant manner, it is advisable to operate a (data protection) management system (Personal Information Management System - PIMS), taking technical and organisational aspects into account. Centralised development of a PIMS can create synergies for several specialist departments and topics.

If an information security system (ISMS) already exists, we can integrate a PIMS in 3 phases:

• Expansion of existing information security management systems (ISMS) to include data protection aspects
• Development of an integrated management system in accordance with DIN ISO 27701
• Support for DIN ISO 27701 certification (a DIN ISO 27001 certificate is mandatory for this)

The quality of data protection measures can be reviewed as part of internal and external audits. Certification in accordance with the GDPR is currently not possible, but companies can be certified in accordance with DIN ISO 27701, which requires certification in accordance with DIN ISO 27001. DIN ISO 27701 is a management system for data protection and requires the establishment, implementation, maintenance and continuous improvement of data protection at management level. Our services include:

• Carrying out internal audits
• Planning and organisation of external audits
• Organisation of certification audits
• Preparation and monitoring of all audits

In the context of data protection, awareness measures refer to activities that aim to increase the awareness and knowledge of employees in the company about regulations, legal precedents, risks, best practices and behaviour when handling personal data. We therefore focus on the following areas in our training programmes:

• Identifying training needs: Analysing the needs within the company and identifying the employee groups that require data protection training
• Development of training content: Content is tailored to the specific requirements and tasks of the employee teams as required
• Modern training methods (remote, hybrid and on-site) for employees
• Consideration of legal requirements: General Data Protection Regulation (GDPR), Federal Data Protection Act (BDSG), Data Protection Act (Switzerland), Ordinance on Data Protection Certifications (Switzerland), industry-specific data protection laws (USA), DIN ISO 27701, combination with information security content (DIN ISO 27001)
• Quality assurance during training: list of participants with proof of certification on request and collection and analysis of participant feedback forms

Data protection is a dynamic and continuous topic in the company. It is constantly evolving and must be taken into account in projects. We support you with:

• Data protection by design: Implementation of data protection from the start of the project
• Risk assessment: Identifying and minimising data protection risks, including impact assessment
• Implementation of appropriate security measures to protect the collected data from unauthorised access, loss or theft.
• Use of test data or obtaining explicit consent before personal data is collected and used.
• Data minimisation: Minimising the amount of personal data to reduce the risk to user privacy.
• Interfaces / data transfers: Transparent flow of information to users about the data protection practices applied.
• Compliance with GDPR: Ensuring that projects comply with all applicable data protection laws.

In order to reduce data protection costs, the legal data protection requirements should already be technically integrated during software development. In particular, technical data protection measures can already be implemented during data processing, such as the anonymisation of personal data in video recordings. Privacy by design has been practised in our software development for a long time. Benefit from our experience!

Data lifecycle management is a concept for managing data over its entire lifecycle. From data collection to deletion, data is categorised according to its value and is subject to different protection objectives (confidentiality, availability, authenticity and integrity). Depending on their protection goals, different processes must be designed in the life cycle of the data. We advise, analyse and design the implementation or improvement of lifecycle management.

Structured service management is becoming increasingly important. An individual catalogue of measures for the requirements to be fulfilled by service providers, especially in data protection, is essential. Such a catalogue can be decisive for the successful outsourcing of services. The following aspects should be taken into account:

• Contract agreements
• Data transfers, including to third countries
• Service provider reviews

We can support you with these topics by means of GAP analyses and consulting.

We provide external data protection officers and help you to master data protection tasks in your day-to-day business:

• Advising organisational management and employees
• Sensitising and training employees involved in the processing of personal data
• Drawing up the necessary process descriptions for the individual processing operations of customers in accordance with legal requirements
• Liaising with the supervisory authorities
• Advice on the implementation of technical and organisational measures (TOM)
• Development of a deletion concept based on the statutory deletion periods
• Data protection advice on contracts and homepages