77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
GDPR advice 2026: What companies really need instead of templates
Data Protection & Privacy

GDPR advice 2026: What companies really need instead of templates

19 June 202612 min readBy Lena Vogt
CIVAC

GDPR advice is often delivered as a PDF bundle. It is only effective when recommendations result in appointment certificates, a TOM register, a 72-hour reporting path and auditable evidence in the workspace. The article shows how reliable advice can be recognised.

The General Data Protection Regulation has been in force since May 25, 2018, but operational implementation in companies remains the biggest weak point in 2026. According to the activity reports of the state data protection officers in 2023 and 2024, supervisory authorities in Germany have noticeably tightened their sanctioning practices. Fines according to Art. 83 GDPR reach up to 20 million euros or 4% of global group sales. In addition, there is the personal liability risk of the management according to Section 130 OWiG if supervisory obligations are violated. GDPR advice that only provides sample texts does not close this gap. It ties up budget without generating the decisive evidence.

This article explains what effective GDPR consulting must achieve in 2026, how reputable providers differ from template sellers and which seven artifacts you can use to recognise audit-proof implementation. As a compliance platform and officer-as-a-service, CIVAC accompanies the entire path from inventory to ordering to the annual audit loop. You will read how you can recognise a reliable mandate, which cost models are standard in the market and how advice can be translated into long-term data protection operations. Licence the workspace for your internal representatives or have our representatives order it, depending on which model suits your structure. The text addresses management, data protection coordinators and IT management who choose between internal setup, external ordering and a hybrid solution.

Key Takeaways

  • GDPR advice is only economical when every recommendation results in an appointment certificate, a procedure directory entry or TOM evidence in the workspace.
  • Reliable advice provides seven mandatory artifacts: appointment certificate, Art. 30 directory, TOM register, AV contracts, data subject rights process, 72-hour reporting path and proof of training.
  • External GDPR consulting costs between 950 and 2,400 euros per month for medium-sized companies in Germany; What matters is the contractual performance, not the hourly rate.

What GDPR advice really needs to include in 2026

The requirements for data protection advice have changed significantly since 2018. Simply providing an initial consultation with a sample contract, a list of procedures from the Internet and a data protection declaration is no longer sufficient. Today, supervisory authorities require proof of effective data protection management. The Bavarian State Office for Data Protection Supervision expressly pointed out in the 2024 activity report that the mere existence of documents is not enough; timeliness, role clarity and effectiveness must be proven. In its 2024 resolutions, the Data Protection Conference also formulated the expectation that those responsible will continuously assess their processing and implement changes promptly.

A complete GDPR consultation in 2026 covers at least seven areas of responsibility. Firstly, the appointment of an internal or external data protection officer with an appointment certificate in accordance with Art. 37 GDPR and Section 38 BDSG. Secondly, the processing directory according to Art. 30 GDPR, separately for the controller and the processor. Thirdly, the technical and organisational measures according to Art. 32 GDPR including risk assessment. Fourth, the contracts for order processing in accordance with Art. 28 GDPR with all service providers. Fifth, a documented process for data subject rights in accordance with Articles 15 to 22 GDPR. Sixth, the 72-hour reporting path according to Art. 33 GDPR with a clear escalation chain. Seventh annual training courses and a verifiable training register with individual proof of participation.

The consultation is only complete when these seven modules are in a testable condition. Everything before that is preparatory work. CIVAC provides the associated templates, workflows and reporting lines centrally in the workspace, so that every measure leaves a verifiable trace. Anyone who works with Word documents in shared drives loses versioning and thus the ability to provide evidence. Anyone who works with a structured platform gains a searchable history that is immediately reliable in audits and clearly assigns responsibilities for each processing.

Internal, external or hybrid consulting: choose the right model

The choice of consulting model depends on the size of the company, industry and available resources. Three constellations are common in practice. Internal advice with an employed data protection officer is worthwhile for around 200 employees and in sectors with high processing risks such as health, insurance or financial services. However, it requires continuous training, a reliable replacement arrangement and a realistic time budget. Anyone who casually assigns data protection to an IT management regularly violates Article 38 (6) GDPR because the person is checking tasks in the implementation of which they themselves are involved. External advice with an appointed external data protection officer is therefore the chosen option for medium-sized companies with between 20 and 500 employees. It ensures independence in accordance with Art. 38 Para. 3 GDPR and avoids conflicts of interest with IT or HR management.

The third model is the hybrid one: an internal contact person takes over operational routines such as receiving inquiries from those affected or the first review of AV contracts, the external representative bears formal responsibility, carries out audits and looks after contacts with authorities. CIVAC supports all three models. Licence the workspace for your internal representatives or have our representatives order it. Both paths lead to the same platform, the same 490 audit templates and the same reporting line to management. Switching between models is possible during ongoing operations because the database in the workspace remains multi-client capable.

A common mistake is double orders by IT service providers who are also contract processors. This regularly violates independence according to Art. 38 GDPR and leads to complaints in the event of an audit. Reliable advice will point this out and reveal the role matrix. Anyone who combines advice, checking and decision-making in one hand does not create a four-eye principle, but rather a compliance risk with an announcement. Therefore, before making the mandate, clarify what other roles your provider has in your company.

Seven must-have artifacts of effective GDPR advice

Reliable consultation can be seen in seven artifacts that must be available at the end of the first consultation cycle. Firstly, the appointment document of the data protection officer with date, signature and notification to the supervisory authority in accordance with Article 37 (7) GDPR. Secondly, the list of processing activities in accordance with Art. 30 GDPR with all mandatory information, including recipients in third countries and deletion periods. Thirdly, the TOM register according to Art. 32 GDPR, which documents measures per processing activity, not across the board per company. A frequent consulting deficit is precisely this mix: blanket TOM lists have an exhaustive effect, but are not reliable in an emergency because they do not establish a connection to specific processing.

Fourthly, the contracts for order processing according to Art. 28 GDPR with all service providers, supplemented by standard contractual clauses and transfer impact assessments for third-country transfers according to the ECJ ruling Schrems II. Fifthly, a process for the rights of those affected Art. 12 to 22 GDPR with input channel, deadline monitoring and response templates. Sixth, the reporting path for data breaches with the 72-hour deadline from Art. 33 GDPR and the notification of those affected according to Art. 34 GDPR. Deadline begins as soon as we become aware of it. Seventh, a training register with annual refreshers for all employees with data access and differentiated content for specific roles such as HR, sales or IT administration.

These seven artifacts are the minimum equipment. They are stored centrally in the CIVAC workspace, versioned and linked to the appointment certificate, signed, filed and verifiable. When the inspector calls, the proof is ready. A consultancy that cannot deliver these artifacts within 90 days does not have sufficient operational focus. Therefore, request a delivery promise for each artifact with clear responsibilities and delivery dates as early as the quotation process. Reliable advice will provide this assurance.

Cost models: flat rate, hourly rate or fixed price project

The German market for GDPR consulting has three dominant remuneration models. The first is the monthly flat rate with a defined scope of services, common for external data protection officers. The usual market rate is 950 to 2,400 euros per month for medium-sized companies with between 30 and 250 employees. The flat rate usually includes an order, annual reporting, contact with authorities, training, AV testing and a limited consultation period. The second model is project consulting with an hourly rate, the usual market rate of 180 to 320 euros net, billed every 15 minutes. The third model is the implementation fixed price for the initial setup, often between 6,000 and 18,000 euros for a complete initial setup with all seven mandatory artifacts.

A success component, such as a quota on fines saved, is not permissible according to the professional practice of lawyers and data protection consultants and would also be problematic under professional law. Reputable providers charge based on performance. Pay attention to clear service boundaries: What does the flat rate cover, where does the separate project business start, what response times are agreed, who takes on training and in what form? Contracts that leave these points open regularly lead to renegotiations and disputes about the scope of services in the company. The same applies to special expenses in the event of data breaches where a quick response is required.

CIVAC works with a transparent licence for the workspace and a separate ordering fee for the officer-as-a-service variant. The price logic is publicly documented and does not contain any hidden flat rates for standard audit steps. The CIVAC SLA of 2 business days replaces the classic response window of 2 to 6 weeks, which is still accepted in many consulting contracts. Therefore, do not compare hourly rates, but rather contract services, response times and the depth of delivery of the mandatory artifacts. Anyone who keeps an eye on the annual cash flow thinks in terms of the result, not the effort. A flat rate that suddenly has surcharges in the third data breach is not a flat rate, but an hourly bill with a marketing label.

Appointment of the external data protection officer: mandatory or optional

The obligation to appoint a data protection officer results from Art. 37 GDPR and Section 38 BDSG. They trigger three facts. First, when at least 20 people constantly handle personal data automatically. Secondly, if the core activity consists of extensive, regular and systematic monitoring of those affected, for example by tracking providers, security service providers or platform providers with user profiles. Thirdly, if extensive special categories according to Art. 9 GDPR or data on criminal convictions are processed, which affects, for example, doctor's practices, pharmacies, social services and care facilities.

Those who do not reach the threshold can order voluntarily. According to the prevailing view in supervisory practice, voluntary appointment means that the same rights and obligations apply as with statutory appointment. This is economically relevant because a voluntary order is not easily reversible. The order must be made in writing and reported to the responsible supervisory authority. The report contains name, contact details and job description. A missing report is regularly criticized in audits and is one of the most common formal errors in medium-sized companies.

The choice between internal and external ordering is a question of independence, availability and specialization. External representatives bring industry experience, are protected from dismissal in accordance with Section 6 Paragraph 4 BDSG and avoid conflicts of interest. For both models, CIVAC provides the appointment certificate, the report to the supervisory authority and the reporting line to the management in the workspace. Audit-proof, documented, § 38 BDSG-proof. An order without this set is not audit-proof. Anyone who treats the order as pure paper is overlooking the actual purpose: a documented responsibility that bears responsibility in the event of a dispute.

72-hour reporting path: the most common error in consulting mandates

The deadline in Art. 33 GDPR is one of the strictest sanction thresholds in the GDPR. Controllers must report a personal data breach to the relevant supervisory authority within 72 hours of becoming aware of it if there is a risk to the rights and freedoms of natural persons. If the risk is likely to be high, notification to those affected is also required in accordance with Art. 34 GDPR. Regulators have imposed multiple fines in 2023 and 2024 because reporting was late, incomplete or not reported at all. What is striking is the accumulation of late reports during weekend and holiday events, which indicates structural gaps in the preparedness model.

Effective GDPR advice therefore establishes a written, documented reporting path with clear roles. Who reports the injury internally? Who assesses the risk? Who formulates the report to the authorities? Who informs those affected? The answer must be in a procedural instruction and practiced with the employees. The clock starts on awareness. This legal subtlety is overlooked in many advisory engagements. A so-called initial suspicion is enough to set the deadline in motion as soon as it is sufficiently concrete.

CIVAC maps the reporting path as a workflow in the workspace. Receipt via a reporting form, automatic escalation to the appointed data protection officer, risk assessment with documented justification, notification to authorities via prepared templates for each federal state and notification of those affected with verifiable dispatch. The auditor calls, the evidence is ready. Advice that does not operationally integrate the reporting path into everyday management leaves the most dangerous residual risk open. Therefore, practice the case at least once a year in a tabletop exercise with IT, HR and legal departments.

Advice in the event of an audit emergency: audits by the supervisory authorities

The supervisory authorities in Germany have been checking more on an event-related and topic-related basis since 2022. According to activity reports, the focus in 2024 was, among other things, cookie banners, employee data protection, video surveillance, order processing and third country transfers according to the ECJ Schrems II ruling. An audit regularly begins with a request for information in accordance with Article 58 (1) GDPR, which must be answered within a short period of time. The quality of the answer determines whether the examination proceeds to an in-depth investigation or an on-site inspection. A careful, complete and consistent initial response usually shortens the process considerably.

Prepared advice provides the decisive advantage here. Anyone who can provide the complete processing directory, the TOM documentation, the AV contracts, the training certificates and the reporting path protocols within a few days upon request signals a practical data protection management. Anyone who collects weeks and subsequently consolidates them signals the opposite and provides the auditor with additional starting points. The 490 audit templates in the CIVAC workspace are prepared and numbered precisely for these situations, so that an information dossier can be put together immediately from the template system.

In the event of an audit emergency, an external data protection officer also accompanies communication with the authority. This protects management from unprepared statements and ensures consistent language regulations. Others run compliance like a filing cabinet. We run it like software. It is precisely there that it is decided whether the advice of the past few years has been economical or whether it has degenerated into mere paper production. Anyone who leaves communication with authorities to an inexperienced internal contact risks avoidable admissions that can later be used as evidence against the company. An experienced companion sorts through facts, separates assumptions from findings and ensures a written trace of every contact with the authorities. This reduces the likelihood that a topic-related examination will turn into formal administrative offense proceedings.

GDPR advice and related obligations: NIS-2, EU AI Act, TTDSG

The GDPR does not stand alone. Since 2024, the regulatory framework for data processing companies has expanded significantly. The NIS 2 guideline obliges around 29,500 companies in Germany to have documented information security management and a 24-hour early warning and 72-hour follow-up reporting path for security incidents. A competent GDPR consultation recognises the overlap between Art. 32 GDPR and the security measures according to Section 30 NIS2UmsuCG and uses them for an integrated register of measures. Maintaining both registers separately costs time, leads to inconsistencies and is difficult to defend in an audit.

Since August 2, 2026, the EU AI Act has required additional documentation and assessment obligations for high-risk AI systems, which are associated with data protection impact assessments in accordance with Art. 35 GDPR. The TTDSG has been regulating the consent requirement for cookies and similar technologies since 2021. Isolated GDPR advice that ignores these adjacent obligations produces redundancy and blind spots. CIVAC bundles the roles information security officer, data protection officer and compliance officer in the same workspace, so that measures are only documented once and applied multiple times. This is not only efficient, but also more reliable in the audit.

If you separate data protection, information security and compliance, you pay three times for the same work. Anyone who integrates them gains speed and consistency. GDPR advice in 2026 must therefore at least consider bridging NIS-2 and the EU AI Act, even if the mandate formally only covers data protection. The transitions are too narrow to be ignored. Therefore, clarify in the initial consultation whether your consultant knows the related frameworks from his own practice or simply offers references to other specialists. An integrated list usually saves significant personnel costs because the same measure does not have to be documented twice.

From consulting reports to resilient data protection operations

The final report of a GDPR consultation is not an end point, but an inventory. What matters is what happens afterwards. A resilient data protection operation needs an annual audit loop, quarterly reporting to management, a monthly status of measures and a weekly look at open requests from those affected and changes to processors. These routines should be created during the consultation, not just after the end of the mandate. If you don't establish the routines, you have produced a report, but not management. The reporting line to management in accordance with Art. 38 Para. 3 GDPR is not an optional element, but a legal obligation.

CIVAC is a compliance platform and officer-as-a-service with workspace, audit templates, appointment certificates, reporting lines and EU data residency. Licence the workspace for your internal representatives or have our representatives order it. Both paths deliver the same 490 audit templates, the same escalation paths and the same reporting logic. The CIVAC SLA of 2 working days replaces the classic response window and closes the gap between consulting and operations. The platform is tailored to the German supervisory environment and contains reporting templates for each federal state as well as a searchable history of all measures.

If your current GDPR advice has not provided an appointment certificate, a TOM register and a documented reporting path after three months, you should check the mandate. If you want to choose between internal setup, external ordering or a hybrid model, we will clarify this in a structured initial discussion. Turn reading into an assignment. Write to info@civac.de or use the contact form to arrange an initial assessment of your current data protection posture. You will receive a concrete list of gaps with delivery dates for each mandatory artifact and a rough indication of the monthly costs per operating model, so that the decision between internal, external and hybrid setup does not remain vague.

FAQ

As a company with 25 employees, do we absolutely need GDPR advice?

As soon as at least 20 people constantly process personal data automatically, a data protection officer must be appointed in accordance with Section 38 BDSG. Accompanying GDPR advice is not required by law, but is necessary in practice to establish the seven mandatory artifacts. With 25 employees, the threshold is usually reached and an external order is the economically sensible answer.

How much does serious GDPR advice cost per year?

For medium-sized companies with between 30 and 250 employees, standard market rates for external data protection are between 950 and 2,400 euros per month. One-off implementation costs for the initial installation range between 6,000 and 18,000 euros. The decisive factors are the service definition, response time and the scope of the mandatory artifacts delivered, not the nominal hourly rate.

What documents does a GDPR consultation specifically have to provide at the end?

At least seven artifacts: Appointment certificate from the data protection officer, processing directory according to Art. 30 GDPR, TOM register according to Art. 32 GDPR, AV contracts according to Art. 28 GDPR, documented process for data subject rights according to Art. 12 to 22 GDPR, written 72-hour reporting path and a training register with evidence. Only then is the initial compilation completed and audit-proof.

Can our IT service provider also be our data protection officer?

As a rule not. Art. 38 Para. 6 GDPR requires independence and freedom from conflicts of interest. An IT service provider who is also a contract processor audits itself as a result. Supervisory authorities regularly criticize this constellation in audits. Therefore, choose an independent external data protection officer or a person with no internal instructions and no operational dual role.

How quickly must a data breach be reported according to GDPR?

According to Art. 33 GDPR, the relevant supervisory authority must be informed within 72 hours of becoming aware of it if there is a risk to the rights and freedoms of those affected. If the risk is high, Article 34 of the GDPR also requires those affected to be notified. The deadline begins when the matter is known, not when the severity is assessed by the internal committees.

How does CIVAC differ from a classic data protection law firm?

CIVAC is a compliance platform and officer-as-a-service with workspace, 37 audit templates, appointment certificate, reporting line and a documented reporting path. You can licence the workspace for your internal representatives or have our representatives appointed. The CIVAC SLA of 2 working days replaces the classic response window of 2 to 6 weeks, which is still accepted in many law firm mandates.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles