Depending on the industry, the size of the company and the countries in which its activities take place or have an impact, a company must take a wide range of legal requirements into account. A risk-based approach makes it easier for companies to be compliant.

With the introduction of a Compliance Management System (CMS), a company decides on a systematic approach to manage all legal requirements. A CMS usually comprises:

  • Capture and classify the legal risks
  • Define the Board of Directors risk appetite
  • Introduce Code of conduct, policies and processes
  • Trainings for supervisory board, top management and affected employees
  • Adapting contracts
  • Introduce Surveillance Process for Business associates
  • Create Independent body for reporting misconduct
  • Readiness to investigate misconduct and introduce measures
  • Measurable evaluation of the effectiveness of the CMS

We can set up a CMS for your company or support you in the listed individual areas. We also offer to be an independent contact point for reporting misconduct. With our expertise, we can ensure legally privileged, confident and independent investigations.

Data Privacy

Technology companies asked to become the owner of private data in return for a "free" service. However, the data obtained is worth much more than the "free" service. Tighter data protection requires that citizens should, in principle, remain the owners of their data. In the event of assignments of any rights, the citizen shall take decisions only based on comprehensible and fully informed guidance. A company should take the step into digitalization taking into account data protection claims. Privacy by Design and Privacy by Default should be familiar to digitalization consultants.

Privacy by Design
Ideally programmers know the data protection regulations and design the new techniques in such a way that data protection can be implemented in them.

Privacy by Default
The preferences of applications - for example, the collection of data from website visitors - should be set in such a way that they are privacy-friendly.

The processing of privat data needs the consent from the owner or a legal basis which allows this kind of processing. We are happy to support you as a project steering committee member for digitalization projects or take on the task as your external data protection officer. 

We further support you in the introduction of a data privacy framework but also with the corresponding individual pillars, such as:

  • Risk overview, which legal requirements the company must meet
  • Introduction of data protection policies and processes
  • Company map with data protection-relevant data
  • Training of managers and employees
  • Legitimize transfer of data to business associates
  • Introduction of measures which legitimate the transfer of data to business associates
  • Managing your or your business associates data breaches
    (response, reporting obligations and investigations, communication plan)
  • Representation before the authorities and in legal processes

A very important pillar is further the legal requirement for your company to have introduced all technical and organizational measures to protect personal data. The necessary knowledge in the field of cyber security are presented in detail in the offer Cyber Security.  

Cyber Security

The protection of networks is like a sister of data protection. There is hardly a successful attack on a network that does not also result in data breach.

The growing surface of links to the Internet and the lack of international cooperation to combat cyber crime, exposes companies. Attacks by hackers, cybercriminals, and even attacks by states can be launched with just one click by just one employee.

Have you calculated which networks you can do for how long until your company has to stop the activities? Do you follow the 3-2-1 rule and store data 3 times, in 2 different places and 1 copy thereof offline?

Only those who regularly conduct a "firefighting exercise" are properly prepared. You are much less likely exposed to a fire than a cyber attack. Have you already carried out a firefighting exercise? Have you already simulated a cyber attack? If you no longer have access to your data, how and with what content do you inform all your customers? Do you have the number from your IT support at hand? Which authorities could help you and which authorities do you need to inform?

Next to familiar "penetration tests", the components of an information management system to manage cyber risks in the new information age are:

  • Risk assessment: what cyber security risks are business risks
    (how long can the company get by without this or that system)
  • Legal requirements for your company
  • Evaluation of the risk appetite of the Management Board
  • Responsibility and interface clarification
  • Demand for further education of the supervision, the cadre and the affected employees
  • Information security policies and processes
  • Identification of systems, plants, devices, access management
  • Managing software
  • Managing of protective hardware and software
  • Hacked - what now? Crisis Management Plan and Exercises
  • Evaluate and avert legal consequences 
  • Cyber insurance

Cyber security managment reduces numerous legal, regulatory and procedural risks. Your company can focus on its core business and protect a good reputation.