Effective implementation of the EU General Data Protection Regulation

From May 25, 2018 the requirements of the EU General Data Protection Regulation are to be implemented with binding effect. What will remain the same and what will change? Which processes have to be set in motion? And what will be the impacts for your company Finding the answers to the above questions requires a good deal of evaluation, especially as not only legal, but also technical and organizational aspects have to be taken into account.

TÜViT covers all three of the aforementioned aspects. For the last 15 years our experts have been combining their expertise and experience from the fields of data protection, information security and IT security.


Our services at a glance

  • consulting services for the development of a sustainable data protection management system within the framework of the EU GDPR
  • pre-assessment: Identification of the processes and corresponding IT systems which deal with personal data
  • performance of maturity level assessments of the current data protection management system (our experts analyze the implementation and maturity level of data protection processes and methods)
  • gap analysis, including a report and presentation of the results
  • compilation of a catalog of measures to satisfy the EU GDPR requirements
  • consultation on the setting-up of technical and organizational measures with regard to privacy by design and privacy by default
  • follow-up audit / monitoring during the implementation phase  

The most important changes – an overview

  • expansion of the obligation to provide information when collecting personal data
  • amongst other things, supervisory authorities may impose fines of up to €20 million or 2-4% of the global turnover of the previous year
  • personal data breaches must be reported within 72 hours to the supervisory authority
  • market location principle: the EU General Data Protection Regulation (GDPR) now applies to all companies which operate on the European market, irrespective of whether they have their registered office here or not, for as long as they process the data of EU citizens
  • privacy by design: early integration of data protection requirements in the development of IT products, systems and technologies
  • privacy by default: data protection-friendly pre-configuration of products in order to avoid the collection, disclosure or forwarding of personal information
  • accountability principle: obligation of the party responsible not only to comply with the principles of data protection governance (as up to now), but also to be able to provide proof of this
  • expansion of the rights of the individual affected with regard to the obligation to delete data (duty to inform upon the forwarding of data to third parties), the right of objection (which applies in particular to data processing, including profiling for the purposes of direct marketing) and the law on data transferability and data portability
  • protection in accordance with "state-of-the-art technology": reinforcement of the risk-based approach with regard to the effectiveness of security measures
  • privacy impact assessment for data processing which is particularly risky

Fit for the EU GDPR

There is no sample solution, as each company carries out different data processing procedures due to its own business model. Therefore it is all the more important that organizations and companies deal in depth at an early stage with the EU General Data Protection Regulation and devote their attention in particular to the following questions:

  • Have data protection risks been appropriately taken into account in the key risk management process?
  • To what extent do we process personal data when assessing how our customers use our products/services? 
  • Do we process personal data outside the EU?
  • Are our data processing procedures sufficiently documented?
  • Are our transmission pathways for the transfer of personal data sufficiently secured?
  • Have we adapted our privacy policy?
  • Have we created the necessary processes to inform the persons concerned and the supervisory authorities within 72 hours in the event of a data protection violation?
  • Have we taken into account the introduction of privacy impact assessments?
  • Have we taken into account the introduction of risk assessments to define appropriate technical and organizational measures?
  • Have we implemented a process to delete personal data without delay?
  • Do the present agreements with contractors satisfy the requirements of the GDPR? 

Your benefits at a glance

  • Our interdisciplinary team has more than 15 years of experience and expertise in the field of data protection/data privacy, information security and IT security and therefore covers the legal, technical, organizational and procedural aspects which have to be taken into account in the implementation of the requirements of the EU General Data Protection Regulation.
  • Our range of services within the field of data protection management is based on a modular design. We have the appropriate data protection concept for every company size and situation.
  • With the help of certification by our TÜViT certification body for data protection we provide proof that you comply with all relevant data protection directives.
Gerald Krebs Global Account Manager
Alexander Padberg Global Account Manager Cyber Security