AGIDAT – Datenschutz | Informationssicherheit

Data Protection Management

Organization, roles and processes — data protection as a lived corporate culture, not a stack of files.

What Is Data Protection Management?

Data protection management means not treating data protection as a one-off project, but embedding it as an ongoing process within your organization. It's about establishing clear structures: Who is responsible? What processes exist in the event of a data breach? How are new employees onboarded? How do we respond to data subject requests?

A functioning data protection management system (DPMS) makes data protection plannable, documentable, and auditable.

Core Elements of a Data Protection Management System

Responsibilities and Roles

Data protection requires clear responsibilities:

  • Controller (Art. 4(7) GDPR): Typically the management. They bear legal responsibility for all data processing activities.
  • Data Protection Officer (DPO): Mandatory once 20 or more persons are engaged in automated data processing. Can be appointed internally or externally. Advises and monitors, but is not liable for the company's violations.
  • Data Protection Coordinator: Useful in larger SMEs — an internal point of contact who liaises between departments and the external DPO.

Data Protection Processes

Which workflows need to be defined? At least these:

  • Handling access and erasure requests (deadlines: 1 month, extendable to 3 months)
  • Breach notification process (internal within 24 hours, supervisory authority within 72 hours)
  • Review and execution of data processing agreements
  • Data protection impact assessment for new high-risk processing activities
  • Regular updating of documentation

Data Protection Policies

Internal policies give employees guidance. They don't need to be legally complex — quite the opposite: short, understandable documents that are actually used in practice are worth their weight in gold.

Relevant policies for SMEs:

  • Usage policy for IT systems and email
  • Policy on handling data breaches
  • Policy on mobile work and remote work
  • Confidentiality undertaking for employees

Training and Awareness

The most common cause of data breaches is human error — often not out of malicious intent, but out of a lack of awareness. Regular training significantly reduces this risk.

Training sessions don't need to be long. Half an hour on the most important basic rules, repeated once a year, makes a significant difference. And attendance should be documented.

Data Protection Controlling

How do you know whether your data protection management is working? Through regular internal reviews — at least once a year, the DPO or an external advisor should review the documentation, processes, and measures.

Data Protection Management for SMEs: Pragmatic, Not Perfect

A textbook-complete DPMS would take an SME years and overwhelm its resources. That is not the goal.

The goal is a proportionate, demonstrable system that shows, in an emergency: this company takes data protection seriously, has worked in a structured way, and acts correctly when problems arise.

That is exactly what we build with you — without unnecessary bureaucracy, but with everything that really matters.