Data Privacy & Data Protection Services

• As part of our services, we will perform in-depth gap and maturity assessments, provide a detailed mitigation plan that addresses any gaps identified and assist with implementing the mitigation strategy applying data protection best practices that are tailored to your situation.
• We focus on assessing the organization's compliance with national and international data protection regulations, such as the European General Data Protection Regulation (EU-GDPR), the Swiss Federal Act on Data Protection (CH-FADP) and the EU Artificial Intelligence Act (EU AI Act). 
• We assess your Data Protection Management System (DPMS), including the organizational structure, governance and operational model and define appropriate best practice solutions. 
• We assist you in determining data flows, design data maps and support the Record of Processing Activities (ROPA) for greater insight of your data-driven products and identify potential compliance challenges.
• We review and design policies, procedures and control mechanisms.

• Data Protection Impact Assessment (DPIA): we help you to identify, assess and evaluate risks in data processing activities. Our services cover advising, managing the entire DPIA process, assisting DPOs or business units, defining state-of-the-art technical and organizational measures, structuring actions as well as establishing review processes for compliance and accountability.
• Transfer Impact Assessment: compliance with data transfer regulations to third countries is crucial. We assist in evaluating the data protection level of adequacy of the recipient state and defining additional safeguards.

• Producers of data processing systems or programs as well as controllers and processors are entitled to undergo an assessment of their systems, products and services by a recognized independent certification body (Art. 13 para. 1 FADP).
• KPMG, accredited by the Swiss Accreditation Body (SCESm 0071), is authorized to audit and certify data protection management systems (DPMS) as per Article 13 of the Swiss Federal Act on Data Protection (FADP). Our thorough certification program allows you to showcase ongoing compliance.

We support your organizations in evaluating technological, social and political trends and forecasts for the digital market. We take global and national regulatory developments into account and derive a customized data protection strategy for your business area and your needs.

We support businesses in establishing a robust data protection program, which involves creating policies and processes to be followed across all stages of the privacy program life cycle. Additionally, we integrate main processes to ensure accountability, uphold data subject rights, handle data protection incidents and manage third parties. Our approach includes defining key performance indicators (KPIs) to measure performance and facilitate continuous improvement throughout the program's operational life cycle. 

We support organizations by introducing privacy tools to automate data protection management and streamline business processes. Leveraging resources such as the OneTrust Alliance, eGRC tools, vendor evaluation solutions and AI for privacy, businesses efficiently manage compliance, assess risks and enhance privacy practices.

Supporting the company's operational business unit in implementing data protection and internal requirements (e.g. advising on handling data subject rights, fulfilling information requirements, conducting data protection impact assessments (business case assessment and enabling)).

Providing subject matter expertise in applicable legal and regulatory compliance obligations, our specialists are experienced in the areas of IT, law and organization, holding internationally recognized certifications.

Providing assistance in readiness for and responding to data breaches, ensuring compliance with regulatory requirements including notification to supervisory authorities and data subjects, while also establishing project task forces and facilitating coordination efforts among affected stakeholders from business, legal, IT, data protection and information security units.

Data protection requires regular or ad-hoc deletion of personal data when the processing purpose no longer applies or in response to legitimate requests. We assist in defining deletion rules aligned with business and legal requirements, ensuring compliance with commercial, tax and archiving laws. Our support includes determining retention, archiving and deletion needs for data categories, and developing practical deletion concepts with your business units.

Defining and assessing appropriate technical and organizational measures to ensure adequate security of processing according to national and international data protection requirements on a risk-based approach, considering international standards for information security (e.g. Guidelines of the Supervisory Authorities, Industry standard ISO/IEC 27001, NIST).

When outsourcing to service providers for activities such as cloud services, marketing campaigns, data center storage or affiliated company processing, data protection and contractual compliance are crucial. Service providers must ensure data security, grant audit rights, and comply with specific requirements for data transfer. We assist in identifying suitable providers, guide you through contract negotiation, and offer advice on data protection considerations.