Integration of data protection into digital business processes.

Data protection requires appropriate and effective operationalization. Gierschmann Consulting is a management consultancy that specializes in data protection management, data protection management systems, and data protection compliance:


Operationalization of requirements

Operationalization of requirements is an important prerequisite for insuring long-term data protection. This means that legal regulations are reflected in procedures and processes in the context of the actual business model, and roles and responsibilities are clearly defined. Data protection management is consequently a management and control function.

Effective data protection management

We support you in minimizing compliance risks using our expertise in current management practices. This applies to data processing in compliance with data protection regulations, insuring the rights of data subjects, or dealing with personal data breaches. Our services include design, setup, assessment, and continuous improvement of effective data protection management. We develop practical solutions in collaboration with you.

Examples are:

  • Creation and implementation of guidelines and work instructions for data protection management
  • Introduction of company-wide standards for data protection management
  • Design and implementation of data protection governance structures
  • Development and implementation of processes that conform with data protection regulations
  • Execution of processes to ensure the rights of data subjects.
  • Introduction of processes for handling IT incidents and data breaches
  • Setup of risk management for data protection compliance


A holistic and systematic approach is essential when ensuring data protection. This can be achieved with the help of a data protection management system (DPMS), also called Privacy Management System (PIMS) as a management and monitoring tool. The set-up of a DPMS depends largely on the context of the business as well as already existing management systems that are already in place. Alignment with available national and international standards is helpful in this regard.

Support for strategic alignment

There is no ‘one-size-fits-all’ approach for a data protection management system. Rather a DPMS should be aligned with your existing business model. Where possible, existing structures and management systems should be used. For example you may want to benefit from an already existing quality management or an information management system.
We support you in the strategic alignment as well as design and implementation of a DPMS. We assist you by means of our knowledge and experience from our involvement in the development of ISO standards for data protection management systems such as ISO/IEC 27701 as an extension of ISO/IEC 27001 and 27002 for data protection management.

Examples of our consultancy activities:

  • Setup of a group-wide data protection management system based on ISO/IEC 27701
  • Workshops for strategic alignment of a DPMS, in particular as an extension to an existing information security management system (ISMS)
  • Design of a DPMS and of the operational and organizational structure by means of guidelines and processes
  • Implementation of the General Data Protection Regulation by way of a data protection management project and setup of a DPMS
  • Comparison of various national and international standards (including ISO with BSI and NIST)


The implementation of appropriate technical and organizational measures (TOMs) must be checked for effectiveness on a regular basis, e.g. through internal audits. This extends beyond mere concept and appropriateness checking. In addition, proof must be furnished to the regulatory authorities that data protection requirements are being adhered to.

High demands in terms of accountability

The GDPR lays down more stringent requirements in terms of the burden of proof on the part of data controllers. Mandatory prerequisites for this are clearly defined processes with roles and responsibilities that must be implemented, ‘lived’, and documented. Similary, additional appropriate technical and organizational measures required to avoid risks for the data subject, must be selected, implemented, ‘lived’, and documented. In addition, regular checks must be carried out as to whether these are effective.

Our expertise and experience enable us to support you in the design, implementation, assessment, and continuous improvement of control and monitoring of compliance with data protection regulations. This also includes carrying out actual audits.

Examples of our consultancy capabilities:

  • Development of a control and monitoring concept
  • Setup of a group-wide data protection audit program
  • Verification of the implementation of data protection requirements (e.g. as a readiness assessment)
  • Assisting the internal audit department in performing data protection audits
  • Checking the effectiveness of technical and organizational measures
  • Concept review of fulfillment of burden of proof

Take advantage of our 20+ years of experience as a management consultancy. We assist our international clients with strategic issues as well as operational implementation. We closely monitor new developments in standardization on national and international levels through our work for industry association and publishing activities, e.g. at DIN, CEN, and ISO level. Our interdisciplinary approach means that we have a collaborative network of partners and lawyers.
Contact person

Markus Gierschmann