Data Protection Audit

Proof of appropriate standards in data protection is an important contribution for service providers and suppliers to expand existing market segments and gain access to market segments and customers that have not yet been opened. Access to customers in the automotive industry, the electrical industry, mechanical engineering, the pharmaceutical industry, the food industry or other industries will require regular certification in the areas of IT security ISO 27001, quality management ISO 9001 or data protection ISO 27701 in the future. These certifications are the door openers to many industries and very few companies, organizations and institutions will be able to avoid this topic in the future. Certifications in the areas mentioned are indispensable if you want to position yourself for the future. So there is certainly a need for action here and you should regularly include these topics in your strategy for your company, organization or institution.

Attorney Thomas Costard is a certified data protection officer (TÜV), data protection manager (TÜV) and data protection auditor (TÜV) and ISO 27001/BSI basic protection expert (TÜV). We also check the agenda of an upcoming data protection audit by the selected certification body, e.g. TÜV, DEKRA, etc. We accompany the audit and support to pass the audit and to receive the certificate.

Our firm offers to conduct an as-is assessment of data protection and to prepare a data protection audit. We conduct a pre-audit in preparation for the audit by the certification body. Here we put on the “glasses” of the auditor. If the auditor identifies minor deviations and recommendations during the audit, we support you in implementing them and closing gaps. We accompany you during the execution of surveillance audits and re-certification audits.

Furthermore, we conduct audits of processors on behalf of our clients and prepare the required audit report, which reflects the status of the data protection measures at the auditee.


The services of our law firm include in particular:

  • Conducting an as-is survey on data protection (determining the current status)
  • Discussion of the report on the current status with the management and other responsible parties (HR, IT, marketing, sales, public relations, etc.)
  • Establishment of a data privacy management system, definition of a data privacy strategy
  • Preparation of the necessary documents (data protection concept, guideline, directories of processing activities, data protection impact assessments, technical/organizational measures, contracts for commissioned processing, face-to-face training, webinars and video training, inspections, etc.)
  • Support in the selection of the auditor
  • Review and internal coordination of the external auditor’s agenda
  • Accompaniment of the audit for certification in data protection, ISO 27701
  • Presentation and discussion of the data protection audit report with management
  • Support with the deviations (minor deviations, recommendations) identified by the auditor
  • Support during surveillance and recertification audits, ISO 27701