With many years of experience in data protection and related matters, both in-house and as external privacy consultants, we can help you design, develop, and implement appropriate, pragmatic, and effective data protection management practices, data transfer and vendor management strategies, training programs, and organizational structures that are tailored to your organization and business needs and help you ensure compliance with data protection laws and regulations and respond to issues as they arise.
Data protection governance includes standards based on laws, regulations, and general data protection principles; processes and procedures that define the necessary measures and behaviors to comply with the standards; awareness programs and tools; defined roles and responsibilities and clear accountabilities to ensure effective and sustainable implementation of legal and regulatory requirements; and controls that ensure effectiveness and help mitigate risk.
Our Services
Data protection maturity assessments
We assist you in assessing the status quo and the processes used in your organization, both locally and globally, to determine the level of maturity and associated need for action in your organization. Such assessments include evaluating internal policies and procedures, practices, and data flows, identifying key gaps and risks, and recommending remediation actions.
Program scope & strategy
Based on an initial assessment, we support you in defining a data protection strategy tailored to your company and business activities and in developing an appropriate data protection program.
Governance structure
We support you in setting up an effective governance structure and privacy organization and in defining roles and responsibilities.
Privacy policy framework
We assist you in developing a framework consisting of standards, policies, procedures, and processes covering all aspects around data protection to implement the privacy program at the global, regional, and local levels in compliance with applicable laws and regulations.
Data subjects' privacy rights management
We support you in the development and implementation of appropriate procedures and processes for the efficient handling of requests for information from data subjects and requests in connection with other data protection rights.
Data security
We support you in defining appropriate technical and organizational measures (TOMs) to protect personal data managed in your organizations and through third parties, using a risk-based approach.
Data breach management
We assist you in developing procedures and processes for handling cyber-attacks and data breaches, including notification management and remediation, and perform appropriate exercises for testing.
Data retention and deletion concepts
We develop concepts for the storage and deletion of personal data with corresponding retention periods and, if required, conduct appropriate training.
Third party management
We support you in all data protection aspects to be observed when exchanging personal data with third parties or outsourcing the processing of personal data to service providers. We develop appropriate guidance for defining the roles of the parties and assigning the corresponding responsibilities. This is particularly important for contracts involving multiple parties or where different interpretations by regulators may lead to different outcomes, such as clinical trials involving investigators from across Europe. We develop contract templates and questionnaires as well as assessment tools for audits of service providers and support you in data protection and information security audits and contract negotiations.
Recording and evaluation of processing activities
We create procedures, processes and templates/tools for documenting processing activities and conducting compliance checks, including data protection impact assessments, and provide related training.
Privacy by Design
We support you in evaluating projects, systems, applications, products, and processes from the initial design stage through development to market launch and advise on appropriate privacy enhancing technologies to ensure compliance with applicable privacy and security requirements. We develop appropriate privacy by design guidelines tailored to your company.
Data transfer governance
We advise you on suitable models and the requirements for the worldwide exchange of personal data within your organization and with third parties and support you in the implementation of the defined solutions. This also includes conducting initial transfer impact assessments for transfers to third countries that do not ensure an equivalent level of data protection and defining appropriate safeguards, including transfer agreements. The group-wide data transfer strategy includes guarantees such as intra-company agreements (so-called Intragroup Data Transfer and Processing Agreements) and Binding Corporate Rules (BCR).
Binding Corporate Rules
We support you in the development of Binding Corporate Rules (BCR) for your company, in the approval process in the EU, UK and Switzerland, and in the effective implementation of BCR in your organization.
Awareness and training
We develop and deliver sustainable and interactive general and specific privacy training and awareness campaigns targeted at associates in general and specific higher risk roles.
Risk management
We support you in developing and implementing effective data protection control instruments, compliance and risk assessment tools, and audit concepts to ensure sustainable compliance with all legal requirements, demonstrate accountability, and minimize business risks. We also perform appropriate controls and audits in your organization.