Data Protection

Data protection is a management issue

Christian Bartmann

Christian Bartmann
Partner Risk Assurance Solutions,
PwC Germany
Tel.: +49 69 9585-2848

At the latest since the General Data Protection Regulation (GDPR) entered into force, data protection compliance has become a management issue. While many companies used to regard laws and regulations regarding digital privacy as a burden and a competitive disadvantage, ensuring an adequate level of data protection is now a prerequisite for cooperation and business relationships. It guarantees the appropriate and contemporary handling of personal data, including the protection and care necessary.

Infographic about data protection by PwC

Take advantage of our comprehensive services and let data protection become your instrument for the future. By request, we can carry out status analyses, develop implementation measures and implement them with you in your company in compliance with the GDPR. For the certification of your data protection organization, we work in accordance with international standards and use the most advanced know-how from the areas of information technology, technical management and law. In addition, we can provide you with an external data protection officer (eDPO) as a single point of contact. The external data protection officer informs you and your team about important developments by internal audits and regular activity reports and offers you full transparency about the status of your data protection management.

Our services

Readiness Assessments, Data protection advice and -projects

The GDPR applies to every company and every process in which personal data is processed: No matter whether cookies are used, IP addresses are stored or address data is processed. Due to the high potential penalties, the consequences of a poor implementation or a any mistakes can beserious. The GDPR sets high standards, but keeps the question for implementation largely open. Every company must close this gap on its own. In addition, critical infrastructures as well as interfaces to other legal requirements ensure increasingly complex requirements.

The GDPR sets diverse and complex requirements for companies. All processes in a company in which personal data is processed have to be assessed and must therefore be adapted. Not only the rights of data subjects, but also documentation requirements, data security, employee data protection and other aspects must be taken into account. For this purpose, every data controller requires a data protection concept that meets the requirements of the GDPR. Consequently, companies must revise their existing concept or create a new program. However, they are often faced with the question of whether the new concept really meets all the requirements of the GDPR. As part of our readiness assessment, we check your data protection organization and its conception for compliance with the GDPR.

Project phases

Our data protection experts are able to support you during the next steps of the implementation phase. We support you in developing the data protection concept, in planning the implementation steps, the controlling or supporting you in the implementation itself. We also provide expert advice on particular issues such as video surveillance, notification obligation within 72 hours or the preparation of deletion concepts (in accordance with DIN 66398 and the principle of data minimization in Art. 5 (1) lit. b GDPR).

Audit / Certification

Adequate evidence of compliance with the regulations of the GDPR is becoming increasingly important both for data controllers and for data processors as the basis of a trustworthy business relationship.

For example, data protection can be a component of certification of the Compliance Management System (according to IDW PS 980). It is also possible to audit partial sections of a data protection organization and to obtain a certificate towards compliance with the principles, procedures and measures of the GDPR in accordance with the International Standard on Assurance Engagements (ISAE) 3000 (Revised).

How GDPR compliant are your service providers?

According to Art. 28 GDPR, data processing can only take place if the service provider guarantees secure processing. The ISAE 3000 (Revised) also allows to audit and certify data processors towards your individual data protection requirements.

Due to the collective knowledge from a wide range of industries and the possibility to consult our lawyers and other experts at any time, we can support you in evaluating compliance with the regulations in your own company or at your data processors, or we can completely take over these part for you as an independent third party.

External Data Protection Officer

The appointment of a data protection officer (DPO) is binding for your company in accordance with Art. 37 GDPR. Are you hesitant to delegate this task internally? Then PwC is a reliable partner who will provide you with an external data protection officer. 

A data protection officer must not only be adequately qualified, but must also work independently. To perform other jobs in the company at the same time is often rarely possible. Not only legal knowledge is required, but also the data protection officer must assess technical and organizational measures. Through many years of data protection expertise from a variety of different industries, we can always guarantee an adequate qualification and expertise, which is  refreshed and improved through regular training and continuing education.

Your advantages

  • High quality advice and information on data processing, handling personal data, data protection and data protection laws
  • Our Data Protection Officers have know-how from other industries and companies and reduce risk of operational blindness
  • Our Data Protection Officers exchange views with experts from other areas within the large PwC network
  • Neutral, independent position of the Data Protection Officer within the company (e.g. towards customers, employees, works councils)
  • Better cost control (e.g. by eliminating training costs) and no resource commitment
  • Guaranteed availability of the Data Protection Officer through PwC internal representation
  • Guaranteed qualifications and expertise through internal training and practice

The tasks of the Data Protection Officer

  • Providing information and comprehensive advice to the company
  • Monitoring compliance with data protection requirements (GDPR and national laws.)
  • Compliance with companies' strategies on the protection of personal data
  • Cooperation with the responsible data protection supervisory authority
  • Support in case of data protection incidents within the company

„The GDPR will ensure a more conscious handling of data and a stronger enforcement of data protection law.“

Heiko Maas, German Secretary of State and former Minister of Justice and Consumer Protection

Quick Online test


From status analyses via individual consultations - e.g. in the form of training, coaching or workshops - to the development of deletion concepts or complete project support: We develop individual and demand-oriented solutions for your company. Take advantage of our short online test and get a rough overview of your concrete data protection needs.

Go to Online test

Contact us

Christian Bartmann

Christian Bartmann

Partner Risk Assurance Solutions und Co-Lead Kompetenz-Center Process Mining, PwC Germany

Tel: +49 69 9585-2848

Follow us