Data Protection Management
Organization, roles and processes — data protection as a lived corporate culture, not a stack of files.
What Is Data Protection Management?
Data protection management means not treating data protection as a one-off project, but embedding it as an ongoing process within your organization. It's about establishing clear structures: Who is responsible? What processes exist in the event of a data breach? How are new employees onboarded? How do we respond to data subject requests?
A functioning data protection management system (DPMS) makes data protection plannable, documentable, and auditable.
Core Elements of a Data Protection Management System
Responsibilities and Roles
Data protection requires clear responsibilities:
- Controller (Art. 4(7) GDPR): Typically the management. They bear legal responsibility for all data processing activities.
- Data Protection Officer (DPO): Mandatory once 20 or more persons are engaged in automated data processing. Can be appointed internally or externally. Advises and monitors, but is not liable for the company's violations.
- Data Protection Coordinator: Useful in larger SMEs — an internal point of contact who liaises between departments and the external DPO.
Data Protection Processes
Which workflows need to be defined? At least these:
- Handling access and erasure requests (deadlines: 1 month, extendable to 3 months)
- Breach notification process (internal within 24 hours, supervisory authority within 72 hours)
- Review and execution of data processing agreements
- Data protection impact assessment for new high-risk processing activities
- Regular updating of documentation
Data Protection Policies
Internal policies give employees guidance. They don't need to be legally complex — quite the opposite: short, understandable documents that are actually used in practice are worth their weight in gold.
Relevant policies for SMEs:
- Usage policy for IT systems and email
- Policy on handling data breaches
- Policy on mobile work and remote work
- Confidentiality undertaking for employees
Training and Awareness
The most common cause of data breaches is human error — often not out of malicious intent, but out of a lack of awareness. Regular training significantly reduces this risk.
Training sessions don't need to be long. Half an hour on the most important basic rules, repeated once a year, makes a significant difference. And attendance should be documented.
Data Protection Controlling
How do you know whether your data protection management is working? Through regular internal reviews — at least once a year, the DPO or an external advisor should review the documentation, processes, and measures.
Data Protection Management for SMEs: Pragmatic, Not Perfect
A textbook-complete DPMS would take an SME years and overwhelm its resources. That is not the goal.
The goal is a proportionate, demonstrable system that shows, in an emergency: this company takes data protection seriously, has worked in a structured way, and acts correctly when problems arise.
That is exactly what we build with you — without unnecessary bureaucracy, but with everything that really matters.