In August 2021, around 40 companies in Berlin received mail from the Berlin Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk, with a request to adapt the tracking on their websites to the data protection regulations. Enclosed is the corresponding press release. 

The GDPR clearly states: Website operators who want to track user behaviour with the help of cookies and other technologies need a legal basis. Many cookie banners on websites differentiate cookies, but often no effective consent is obtained. 

It must be easy for every user to refuse or consent to tracking. Tracking preferences to force consent are not legally compliant. 

The authority’s notice campaign was a first warning to selected companies. The responsible parties were requested to immediately design the data agreement in accordance with the GDPR requirements. A second examination of the websites of the companies reprimanded may result in measures by the authority. 

Seek competent advice on designing and auditing your cookie banners. Here are the most important requirements for a practical and data-saving opt-in procedure: 

  • Obtain consent only when necessary. 
  • Differentiate between different processing operations. 
  • If consent is required, the options should not be too extensive. The user should be able to make the settings according to his or her wishes with just a few clicks. 
  • The use of the website service should not depend on consent. 
  • The following applies to the module: easy to use, adapted to the user group and compatible with different end devices. 
  • All information on the processing of data must be transparent, easy to understand and neutrally designed. 
  • A data-saving default setting should be provided. 
  • The design must not distract the user from the essentials and manipulate the user into changing the settings. 
  • A data protection cockpit should enable subsequent management of the authorisations granted. 
  • Make the topic more understandable with icons and pictograms. 
  • Conclusion: Transparency in consent strengthens your trustworthiness. 

Finally, the standard contractual clauses are adapted to the GDPR and take into account the ECJ case law on the Privacy Shield.

Attention, all already concluded standard contractual clauses must be updated within 18 months, until 27 December 2022.  All newly concluded contracts must take into account the new standard contractual clauses from 29 September 2021.

How are the standard contractual clauses concluded in practice?

In practice, the standard contractual clauses are usually provided by service providers in these forms:

  • Individual contract – Especially when contracting with companies that do not work on a large scale for EU clients, the standard contractual clauses are provided in the form of a contract (usually as a PDF file), which is then signed or signed individually.
  • Part of T&Cs – Large US providers offer standard contractual clauses as parts of or attachments to their T&Cs, so that the standard contractual clauses are automatically concluded with the conclusion of the contract (example of the email platform MailChimp).

However, the conclusion of the standard contractual clauses alone is not sufficient. The level of data privacy must be examined in each individual case. For example, the ECJ and the data privacy supervisory authorities do not reject the transfer of data to third countries (e.g. USA), but would like to have the security checked.

  • Checking the text of the contract – you must check whether the correct standard contractual clauses have been chosen for the respective contractual constellation and whether their content has not been changed. You also need to check that the annexes have been properly completed.
  • Checking the actual level of data protection – You must also check whether the promises to provide an adequate level of data privacy are actually complied with. This means that you must check whether the risk of access to the data by US authorities, as described by the ECJ, is prevented. To ensure an adequate level of data privacy, e.g. encryption procedures, pseudonymisation, server location in the EU or also a low risk for the data of the data subjects contribute.

However, there are interpretation misunderstandings in the recitals of the new standard contractual clauses, contained in point 7:

The standard contractual clauses may only be used for such data transfers to the extent that the processing by the data importer does not fall within the scope of Regulation (EU) 2016/679.

This recital would mean that the standard contractual clauses would always not have to be concluded if, for example, a US Cloud service falls under the GDPR. This would be the case, for example, if Dropbox, Microsoft Cloud or Google Cloud were also aimed at EU citizens. If an EU company then stores customer data in this Cloud, for example, no standard contractual clauses could / would have to be concluded with Dropbox, Microsoft or Google. However, this result contradicts the wording of Art. 44 et seq. GDPR, which does not provide for such an exception in the case of processing in a third country. It is therefore to be hoped that the EU Commission will soon publish an interpretation aid for its erratic interpretation guidelines.

This means that you must become active and take the following measures:

  • Take stock in your own company – check whether data of customers, users, members, etc. are processed in third countries and especially in the USA (or by companies located in these countries).
  • Take stock of subcontractors – It must also be checked whether subcontractors and service providers, e.g. the web host or accounting service, use providers from third countries / USA (e.g. rent servers from Amazon Webservices).
  • Request for new standard contractual clauses – Third country providers must be asked to provide the new standard contractual clauses (alternatively, although less common, standard contractual clauses can be provided to them for review and signature). Similarly, subcontractors must be asked whether corresponding standard contractual clauses have in turn been concluded with their subcontractors in third countries (ideally, copies should be requested).
  • Request for security measures – The providers from third countries must be asked to name the security measures with which the special risks of the third-country transfer are mitigated (e.g. encryption, server location in the EU, pseudonymisation). Subcontractors must also be asked whether their subcontractors from third countries have provided evidence of corresponding security measures (ideally, they should also be asked to provide a list and copies of the confirmations).
  • Checking the standard contractual clauses – you must check that the modules of the standard contractual clauses are correctly selected, that their text has not been modified and that the annexes are properly completed.
  • Verification of the level of data privacy – You must verify, on the basis of the notified security measures, whether a sufficient level of data privacy is ensured for the respective processing of the data by service providers and subcontractors.
  • Logging – you must record the audit procedures for evidence purposes (e.g. in a table with providers, times of requests, results and justification of your audit result).


Even though the end of 2022 is still far in the future, you should urge your contractual partners to replace the standard contractual clauses as soon as possible. Especially because the new standard contractual clauses implement the demands of the data privacy supervisory authority to supplement the previous clauses as a result of the ECJ’s case law on US data transfers. It can therefore be assumed that supervisory authorities will very soon declare the use of US providers on the basis of old standard contractual clauses to be inadmissible.

The Federal Commissioners for Data Privacy and Freedom of Information (BfDI) published on 29.06.2021 that the European Commission will adopt the adequacy decisions for transfers of personal data to the United Kingdom under the General Data Privacy Regulation (GDPR) and the Law Enforcement Directive (LED) on 28.06.2021.

With the recognition of the adequate level of data privacy, data transfers from the European Economic Area (EEA) to the United Kingdom, within the scope of the Decisions, do not require a specific authorisation. The examination of whether the general data privacy requirements for a data transfer are met is necessary and must be carried out independently of this.

Cyber-attacks are becoming more frequent. The number of attacks is increasing and the headlines are piling up. The risk is not eliminated with outsourcing to the Cloud. Cloud service providers also have to rethink and provide answers to questions about security measures. For companies, outsourcing creates a new interface that must be managed.

Cloud service providers can be assessed and their service quality evaluated on the basis of various standards. In Germany, an assessment according to the BSI C5 Cloud standard or according to the IT expert committee of the IDW (FAIT) number 5 is recommended. Corresponding certificates are provided by auditors. Certificates according to ISAE 3000 or ISAE 3402 should be mentioned here.

In addition to the assessment and the resulting selection of a suitable service provider, it is also important to increase the company’s resistance to damage (resilience).

The pandemic in particular has shown how important digital skills and a functioning digital infrastructure are for SMEs. Never before have technologies been implemented so quickly and become a strategy for functioning business processes in many areas. With the rapid development, data is becoming a central component of value creation. For this reason, it is important that companies develop strategies and measures to sustainably protect their operations against cyber attacks. Entrepreneurs owe this not only to their own company, but also to their customers, because your customers also expect companies to develop confidence-building measures in the digital transformation.

We help you to secure your company with a customised early warning system, comprehensive security measures and forensic analysis methods against threats from the Internet. We want to build and strengthen your cyber resilience and develop a preventive, forward-looking cyber strategy for your company. Internally IT-secure and externally trust-building in the digital transformation.

If you have any questions or need a partner for your cyber strategy, please do not hesitate to contact us.

Attention, the US law Cloud ACT (Clarifying Lawful Overseas Use of Data Act) allows US authorities to access all your data – even without a court order. All data stored by US companies, even abroad, is treated as if it were stored on servers in the US. This law applies to internet providers, IT service providers and cloud providers based in the US and their clientele. If a company in Europe is part of a US company or exchanges data with US companies, it is subject to the Cloud Act.

The Cloud Act affects both personal and corporate data of commercial information, trade secrets and other intellectual property. No safeguards against access by US authorities are provided by technical encryption, trustee models or bilateral agreements. This creates a legal conflict with the GDPR.

Cloud providers with headquarters and data centre in the EU offer maximum security and are DSGVO-compliant. Also look for test certificates such as ISO27001, ISAE3402, C5, PS860 i. V. m. PH 9.860.1

We advise and audit cloud providers for compliance with legal security-relevant requirements.

The IEC 62443 series was developed to secure industrial communication networks and Industrial Automation and Control Systems (IACS) through a systematic approach.

It currently comprises nine standards, Technical Reports (TR) and Technical Specifications (TS), with four parts still under development. IACS can be found in an increasing number of sectors and industries, many of which, such as energy supply and distribution, transport, manufacturing, etc., are central to critical infrastructure (PH 9.860.2: The Review of Measures to be Implemented by Critical Infrastructure Operators Pursuant to Section 8a (1) BSIG).

IACS also include Supervisory Control and Data Acquisition (SCADA) systems, which are often used by organisations operating in critical infrastructure industries, such as power generation, transmission and distribution, gas and water supply networks. Ensuring risk mitigation and resilience is therefore essential.

Prevention of illegal or inappropriate access

In IEC 62443 publications, “the term ‘security’ is considered to be the prevention of illegal or unwanted intrusion, intentional or unintentional interference with the proper and intended operation of, or inappropriate access to, confidential information in Integrated Administration and Control System (IACS).”

Security “includes computers, networks, operating systems, applications and other programmable, configurable components of the system”.

IEC 62443 standards cover all aspects of cyber security at all stages and are a cornerstone of a secure-by-design approach.

Therefore, a broad overview of the IEC 62443 publications is necessary as they are relevant to all industrial communication networks and IACS users, including plant owners, system integrators, equipment manufacturers, suppliers, plant operators, maintenance professionals and all private and governmental organisations involved in or affected by cyber security of control systems (IEC / TS 62443-1-1 Industrial communication networks, network and system security – Part 1-1: Terminology, concepts and models).

The IEC 62443 series of standards is divided into four parts, which cover the following:

  • General (IEC 62443-1.* – one part of four published).
    The general documents provide an overview of the industrial safety process and introduce essential concepts.
  • Policies & Procedures (IEC 62443-2.* – three parts of four published)
    The Policies & Procedures documents emphasise the importance of policies – even the best safety is useless if employees are not trained and committed to support it.
  • System (IEC 62443-3.* – all three parts published)
    Since safety can only be understood as an integrated system, the system documents provide important guidance on the design and implementation of safe systems.
  • Components (IEC 62443-4.* – both parts published)
    Since you cannot build a solid building from weak bricks, the component documents describe the requirements that must be met for safe industrial components.

Information technology (IT) and operational technology (OT)

International IEC standards such as ISO / IEC 27001 and IEC 62443, together with testing and certification (conformity assessment), are important tools for a successful and holistic cyber security programme. Such an approach increases stakeholder confidence by demonstrating not only the use of security measures based on best practices, but also that an organisation has implemented the measures efficiently and effectively. This must be integrated into an overarching strategy that encompasses people, processes and technology. This not only looks at the technical measures themselves, but also the organisation around these measures, which ensures that cyber-attacks are detected in a timely manner.

Implementation challenges

Although IEC 62443 has many benefits and advantages, implementing the standard also brings some challenges.

However, the standard is not complete. Some of the specifications in the standard have not yet been published.

Nonetheless, the standard is very comprehensive: with a total volume of more than 800 pages so far and further specifications which will be published successively, a considerable amount of time and effort is required to read and understand the complete standard.

With our auditing standard in accordance with IDW PS 860 (IT auditing outside the audit of financial statements), we ensure compliance with legal or regulatory requirements.

The exam notes are intended for

  • Cloud / Cybersecurity
  • Examination of the principles, procedures and measures in accordance with the EU General Data Privacy Regulation and the Federal Data Privacy Act (PH 9.860.1)
  • Audit for operators of critical infrastructures (PH 9.860.2)
  • Conformity with GoB requirements

Einhaltung von Industriestandards und anerkannter IT-Frameworks

  • ISO standards

With our attestation, we ensure that the mechanisms, implemented measures and controls are subjected to an appropriateness test (time consideration) and that the criteria are suitable. We examine the implementation of the controls and measures to ensure cyber security and subject them to an effectiveness test (period consideration), thus ensuring that the controls and measures were effective during the period.

The pandemic has made home the new workplace for many of your colleagues. A familiar environment, but is it safe?

Most work is done via home internet service providers (ISPs), i.e. unsecured routers. Neighbours can listen in on your phone calls and pick up sensitive information. Maybe your life partner also uses the same work device and uses it for other business. In short, there is no other popular place for cyber-attacks like the home of your employees.

Hackers use well-known methods such as phishing emails almost daily. The fraudsters are keeping up with the times and shamelessly exploiting the pandemic. They direct your employees to websites to supposedly sell mouth-nose coverings, medical face masks as well as particle-filtering half masks (FFP) or lead the “victim” to websites to read the latest news (e.g. how to recover from the virus). Hackers even developed an app that posed as the “World Health Organisation WHO”. This app was confusingly similar to the original. It was deceitful and extracted information directly from the user’s mobile phone. Old-fashioned security measures – such as firewalls – have reached their limits in stopping cyberthreats of this kind.

But what can be done? We need to rethink the issues around cyber security so that employees can work safely from a distance.

Unfortunately, it is not possible to completely avoid cyber-attacks. However, not every threat is a big threat per se. It is important that your staff are made aware so that they can take timely action to prevent the most dangerous cyber-attacks. This makes the difference between a successful remote workforce and a vulnerable one. The company is advised to have a “home office policy” in place, because companies have a burden of proof. Companies need a clear procedure in case of data breaches and IT problems.

In order to prevent irreparable and possibly expensive data privacy breaches (according to DSGVO and / or BDSG), we recommend the following courses of action:

Work data remain work data

  • Switch off laptops / work devices outside working hours
  • Lock screen as soon as you leave the workplace (even if only for going to the toilet and back)
  • Lock screen to protect it from unauthorised third parties (flatmates, family members, friends, etc.)

Do not slack on passwords

  • It is recommended to use at least twelve characters (including special characters and numbers)
  • It is recommended to change the password regularly (every 30 days)


  • This is important so that the antivirus software updates itself regularly
  • This process minimises the vulnerability of (mobile) devices

Beware of suspicious e-mails

  • Do you know the sender?
  • Does the message look like spam?
  • Employees should delete and report phishing attempts immediately

The best offensive against cyber-attacks is a good defence strategy. This starts with conducting an IT analysis. This is how your company arms itself against data breaches:

  1. The necessary anti-virus software must be provided by the employer for all end devices, such as laptops
  2. All employees who work remotely must attend regular (every twelve months) training sessions on information and cyber security. Employees must be informed about current threats in a timely manner.
  3. Recommend multi-level authentication to ensure that employees confirm their identity via their phones before accessing confidential files.
  4. set up an encrypted VPN connection to ensure access to secure information
  5. Appoint a Data Privacy Officer / Information Security Officer to be able to report potential cyber-attacks.


On-premise or cloud-based solutions such as software-as-a-service (SaaS) platforms offer advantages, of course, but also risks that are reflected, for example, in the areas of data management, data security, data privacy, transaction integrity and others. Especially when information flows in and out of these newly coupled IT landscapes. As part of this transformation, it is important to ensure that risks and controls are embedded in new business processes.

By assessing risks and designing effective controls during implementation, your organisation can achieve the following:

  • You avoid inefficiencies and potentially compliance breaches.
  • Reduce the control design effort
  • Ensure that the company gets value from its investment

Independent Consulting + Audit Professionals can help your company build its adapted and new risk management system. We help you on your journey to a digitally integrated environment that allows you to better leverage new technologies and the flexibility of your cloud. We help you add value to your technology ecosystem by identifying, assessing and mitigating risks related to systems, security, data, reporting and programmes.

Our approach starts with a comprehensive understanding of your business processes, focusing on what you want to achieve through implementation and focusing on your specific business risks.

We have extensive industry-specific technology expertise, including systems and applications. Our experience with systems and applications, including on-premise, cloud and hybrid environments, supports our holistic view of your business. Whether you use cloud-based platforms such as Salesforce and ERPs as for example SAP, Navision and Oracle, we can optimise your systems to give you greater security, control and meet compliance requirements.

When you create an IT audit checklist, you create a system for assessing the sustainability of your organisation’s information technology infrastructure. You are reviewing your IT policies, procedures and operational processes. It is important to understand where you are right now, what your strengths are and what your weaknesses are, as this will help identify opportunities for the company to grow. An IT audit can help identify potential security risks and re-evaluate their software and hardware.

Companies are responsible for regularly reviewing their information technology procedures. This process helps protect customers, suppliers, shareholders and employees. With an IT audit checklist in place, companies can conduct a comprehensive risk assessment on a quarterly or annual basis. This assessment can be used to create an annual audit plan that covers all significant areas of a company over a period of time. Strategic, forward-looking aspects should also be included.

The IT assessment checklist can include everything from network faults to inadequate data flows, logging inaccurate information that could potentially compromise the company’s data. Another benefit of an IT audit checklist is that it provides a guideline for your employees. When employees understand what is required to protect data and what areas they need to focus on, they can proactively identify potential risks or weaknesses. Once identified, it is easier to put a plan in place to address any procedural errors. Furthermore, it is possible to prepare employees for internal or external audits with an internal IT audit checklist. This creates transparency and sets the course for a smooth audit process.

If you already have an IT audit checklist, you may wonder whether it is still effective. However, today’s technology is evolving rapidly and older audit procedures need to be updated. To keep up with this, you need to decide what your IT management priorities are. An IT audit checklist can serve as a guide. Updates are made to the checklist based on past audits, which have the potential to identify new weaknesses or new problem areas.

For example, if your company is expanding, you may be considering purchasing additional hardware and granting new employees access to confidential information. This type of expansion requires a close look at your IT operations and processes. Alongside the process, update your IT audit checklist to ensure you don’t lose sight of your new and updated procedures and processes.

Many companies are growing so fast that they can’t keep up with documenting IT processes and procedures, and there is a risk that procedures are handled differently and hide risks in them for your corporate IT audit checklists, this means that they may not reflect the IT reality of the business.

Part of updating your IT audit checklist is to identify the current risks to your business, create processes and procedures to address them, and then include all of this information in the IT audit checklist. Management may not be sure what new risks the company is exposed to. In order to minimise unidentified risks, countermeasures can be taken with the help of subject matter experts from the IT environment or IT auditors to assess the current technological situation and identify the potential risks. Because some risks are industry-independent, many companies also have similar risks.

Examples of non-industry IT risks:

  • Brand protection, compliance breaches, confidentiality breaches.
  • Information security breaches
  • Data loss due to increasing number of mobile devices
  • Data theft, productivity loss, hardware damage and costs due to increasing malware epidemics
  • Data Management Systems (DMS) and Cloud Computing
  • Data loss and compliance breaches caused by electronic archiving.

So there are several good reasons to keep an IT audit checklist up to date and to consistently review and improve IT processes and procedural documentation.

Constantly changing IT technology can be compromised for a variety of reasons. In addition, hackers and cyber security threats are constantly evolving. When you create an IT audit checklist, you proactively address the reality of today’s IT world and do your part to protect your business. The checklist highlights areas for review where documents of processes and procedures are missing or may not exist at all. The growth of your business can lead to additional IT risks that you may not have had in the past. Using your checklist, you can identify potential problems and put protection in place before a problem actually occurs. Too many businesses don’t have a regular consistent review, which means they are exposing themselves to potential cyber security risks.

Unfortunately, not every company has an IT department. This means that external support is required to effectively create an IT audit checklist. Basically, an internal audit is provided by external staff.  Even start-ups are often faced with the problem of sharpening processes and procedures to ensure compliance after some time has passed.

We at Independent Consulting + Audit Professionals GmbH have the expertise to make your company audit-proof. We help you create your IT audit checklist, prepare your staff for IT audits so that they can be carried out effectively and efficiently. We help you identify and assess IT risks so you can also proactively address them before hackers and cybersecurity threats damage your business.


  • Since the introduction of the European General Data Privacy Regulation (GDPR), companies have been subject to strict accountability requirements. Companies must prove that they comply with the data privacy principles of the GDPR.
  • By establishing and maintaining a functioning data protection management system (DSMS), companies can systematically plan, manage and control the legal and operational requirements of data privacy.
  • To enable companies to demonstrate the adequacy and effectiveness of the data privacy management system to supervisory authorities and their customers, the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer, IDW) has issued IDW PH 9.860.1, a new auditing note for the audit of data privacy organisations.

Achieve DS-GVO compliance for your company through an effective DSMS

Companies are required to adapt their data privacy-related procedures and measures in order to fully comply with data privacy law requirements. In addition, companies are obliged to be able to demonstrate compliance with the data privacy principles mentioned in Art. 5 (1) DS-GVO (lawfulness, processing in good faith, transparency, purpose limitation, data minimisation, accuracy, storage limitation as well as integrity and confidentiality). The implementation of a data privacy management system is therefore essential to meet the legal requirements. Companies of all sizes and industries face significant sanctions if they violate the new data protection regulations.

Check the adequacy and effectiveness of your DSMS

There is therefore an increased need for an audit of these technical and organisational procedures and measures by an auditor. The IDW Audit Note “Audit of the principles, procedures and measures according to the EU General Data Privacy Regulation and the Federal Data Privacy Act (IDW PH 9.860.1)” specifies the application of the principles of IDW PS 860 with regard to data privacy-specific audits and is intended to support the profession in these audits. The aim is to achieve uniformity in the profession when carrying out audits. IDW PH 9.860.1 contains a catalogue of standard examples for suitable principles, procedures and measures for ensuring and auditing data protection compliance, in particular in the context of adequacy and functional audits. The subject of an audit according to IDW PH 9.860.1 are the criteria of the data privacy objectives derived from the company’s business model, the data privacy culture, its structural and procedural organisation, the framework including risk analyses, training and awareness measures as well as measures for monitoring and improving the system.

Benefits for your company

  • You receive an overview of the adequacy and effectiveness of your DSMS as well as the current implementation status of the data privacy requirements in your company.
  • Needs for action are identified at an early stage and can be addressed in a competent manner.
  • The audit report – with a certificate from the auditor if desired – provides you with valid proof of your company’s compliance with the GDPR. This not only protects you from the supervisory authorities, but also creates trust among your customers and stakeholders and can help you gain a competitive advantage.

We would be happy to discuss your current situation and goals and provide you with a customised audit offer. Please contact us!