Three years ago, data privacy became a hot topic making a big splash when on 25 May 2018 the General Data Protection Regulation (GDPR) became the new common European framework for the protection of personal data.

Stricter legal requirements ensure better data protection

The GDPR marked the arrival of data protection in everyday life. For most consumers, it has become routine to complete and sign privacy statements, for example when visiting a doctor’s office. This is all due to the GDPR, which is intended to ensure the protection of personal data within the EU and at the same time guarantee the free movement of data within the European single market. In 2018, this regulation replaced previously applicable data protection legislation, including the Federal Data Protection Act (“BDSG old”) in Germany.

The most significant change for businesses certainly is the increase in potential fines from up to 300,000 euros (BDSG old) to ten to twenty million euros or two to four percent of total annual turnover (GDPR). But there are also new provisions regarding the designation (formerly “appointment”) of data protection officers. In Germany, all businesses in which more than 20 employees are permanently involved in the automated processing of personal data must designate a data protection officer. Irrespective of this, a data protection officer may have to be designated if data is processed in a way that is relevant for a data protection impact assessment (Art. 35 GDPR) – or if data is transferred and processed commercially or for the purpose of market or opinion research.

Specialized expertise required

There is no denying it: In the “pre-GDPR world”, the position of data protection officer was often seen as an afterthought, an office someone would hold in addition to their regular job – comparable to that of “occupational safety officer” or “environmental officer”. Many businesses found it perfectly acceptable that their officers acquired the legally required expertise in a compact certification course as they simply trusted that no major mishaps would occur. Such an approach should no longer be pursued today because the job of data protection officer requires comprehensive and in-depth expertise of concepts such as cloud, big data and artificial intelligence. Without the necessary IT expertise, the risks of processing data can no longer be assessed properly. Risk assessment is a key topic covered in several sections of the GDPR, making it even more important that risk assessors have the necessary competence.

Data protection becomes ever more juridified

With over 70 opening clauses, regulatory mechanisms such as recitals to individual articles and a large number of undefined legal terms, the GDPR requires data protection officers to have much more in-depth legal knowledge than previously. At least, the topic now has also reached board rooms given the amount of potential penalties. Nevertheless, the description of the role in Article 39 GDPR clearly seems to lower the bar for the job: “inform and advise the controller” and “monitor compliance” reads a lot less ambitious than the familiar “work towards ensuring compliance with data protection legislation” (BDSG old).

of total annual turnover as potential fines

Companies that do not have the necessary in-house expertise and want to avoid paying hefty fines can avail themselves of the support of competent external service providers. Such an approach has several advantages: External data protection officers usually have a back office of computer scientists, information security specialists, business economists and fully qualified lawyers at their disposal, which puts them in a position to cover the full complexity and range of applicable data protection regulations. They also keep an eye on international developments. For example, the flow of data in a global, shared service IT structure or the introduction of cloud infrastructures are increasingly important topics – not just for mid-sized groups of companies.

It is also apparent that it will be more and more essential to understand the “peripheral areas” of data protection – other legislation, regulations and standards – and leverage synergies. For example, many industrial companies are required to operate an information security management system (“ISMS”) in accordance with ISO 27001 and have it audited on a regular basis. The resulting structure can be used as an excellent basis for a data protection management system via a scope extension in accordance with ISO 27701.

External data protection officers provide relief and add value for businesses

The current pandemic is just one example showing the added value that collaborating with external data protection officers can deliver for businesses. The external experts at TÜV Rheinland are in regular contact with all relevant data protection supervisory authorities and support their clients with recommendations for action and work aids. Current examples include information letters on the processing of health-related data, the establishment of privacy-compliant procedures for the use of rapid Covid tests in the company, the monitoring of infection incidence levels or the privacy-related monitoring of vaccination campaigns carried out by company doctors.

All things considered ...

… given the increased requirements on the expertise of data protection officers and risks of liability and fines, it may well make sense for companies to outsource the task. Collaboration with external data protection officers can improve quality and cost efficiency in this area – and generate added value. Contact us.


Stefan Eigler

Stefan Eigler

Practice Leader Mastering Risk & Compliance

Stefan Eigler has been in charge of data protection at TÜV Rheinland as Practice Leader Mastering Risk & Compliance since mid-2018. As a recognized Asia expert, he set up TÜV Rheinland’s data protection Consulting Services group in Shenzhen, Greater China, with local colleagues and developed it further in numerous local customer projects. Stefan Eigler is a Master of Laws (Compliance) and a Diplomwirtschaftsinformatiker (University degree in Business Information Technology) as well as a certified CISM, CISA, CCSP, ISO27001 Lead Auditor and SAP CBA. As a proud Rhinelander, he prefers to spend his free time exploring the region with his wife and children and their two dogs.

More Posts


Field testing a hydrogen car for a day

So how does a hydrogen car actually drive? What should I bear in mind when refueling? Report on a hydrogen car gained during a field test.
Industrie Roboter

Industrial Applications and Safety

Robots – it is impossible to imagine production and logistics without them. Various norms and test standards ensure greater safety when using them.

Ransomware – Kidnapping in the digital age

More and more companies are becoming victims of data kidnapping. A study reveals the need for advice. How to protect against ransomware attacks.



Submit a Comment

Your email address will not be published.


No one likes popups. But you’ll like our newsletter.

Get remarkable articles on digitization, modern life, energy and technology.