Skip to content
Chimera readability score 63 out of 100, Academic reading level.

As an IT security company, G DATA stands for high security standards. What requirements does this create for our data protection?
Andreas Lüning: Trust does not begin with a contract — it begins with a company’s mindset. As a German IT security company, we see data protection and digital sovereignty as part of our responsibility. That is why the protection of personal information is integrated into our products and processes from the very beginning. Privacy by Design & Default is a lived practice for us. At the same time, we meet demanding legal requirements such as NIS2 and the Cyber Resilience Act (CRA). We are convinced that anyone who wants to create digital security must consistently take data protection into account — from the initial idea through to day-to-day operations.
Why did we choose Bitkom Consult, and how does the collaboration work in practice?
Andreas Lüning: We have worked with Bitkom in a spirit of trust for many years. So it was a natural step for us to rely on this expertise in the area of data protection as well. Our data protection coordinator supports us reliably on all data protection-related matters. The regular consulting meetings are characterized by open dialogue at eye level and a clear focus on practical solutions. We are convinced that effective data protection management is not a one-off project, but a continuous process that requires commitment within the company and an experienced partner. Data protection has to be put into practice every day. Based on our experience, Bitkom is the most competent external data protection partner we have worked with so far.
Ali, you have been supporting G DATA for many years. From your perspective, what characterizes the collaboration? What does the company do particularly well when it comes to protecting personal data?
Ali Tschakari: Continuity is what particularly defines the collaboration. Over the years, we have developed a very strong shared understanding — both professionally and at the process level. At G DATA, these topics are addressed early on in projects, not only shortly before a product launch. Everyone understands that the protection of personal information is not a one-off project, but firmly embedded in workflows.
You can also see this in the fact that topics are addressed early. Not only when a problem arises, but well in advance — when new projects, new technologies, or changing requirements are involved.
For me as an external data protection officer, that is the ideal foundation. I do not have to work reactively. We develop things together.
How has your role evolved during this time?
Ali Tschakari: At the beginning, as in many companies, the focus was on classic topics: documentation, legal assessment, and building structures.
Today, the work has become much broader and more strategic. Protecting privacy is no longer just an isolated compliance function, but part of product decisions, IT architecture, and increasingly also topics such as artificial intelligence.
Today, I am involved at an early stage and can help shape projects instead of only reviewing them at the end. I can assess risks while also helping to develop solutions that work in practice.
How do G DATA customers benefit from the fact that we consistently consider data protection?
Andreas Lüning: For our customers, data protection is not an additional component, but an integral part of our solutions. Our contract texts, privacy notices, and data protection management meet a high legal standard. They were developed or reviewed together with the data protection experts at Bitkom Consult, who have many years of experience in data protection.
This means our customers can rely on the fact that data protection is taken into account from the very beginning — transparently, practically, and with legal certainty. Our aim is not only to develop secure products, but also to apply the highest standards when handling personal data. This is also reflected in the quality of our privacy notices, which are regularly assessed very positively.
What does the role of the external data protection officer mean in practice at G DATA — beyond the purely supervisory function?
Ali Tschakari: Of course, legal review is part of the role, but it is only one aspect. What is more important is ongoing support in day-to-day business. We look at new projects and assess specific questions — often at short notice and with a practical focus.
This creates a kind of “extended function” within the company. We know the systems, the processes, and the internal workflows and decision-making paths. That is exactly what makes the difference: I do not just provide abstract recommendations, but solutions that can actually be implemented in the specific environment.
How does Bitkom Consult ensure that data protection does not become a bottleneck in complex areas such as AI or new digital products?
Ali Tschakari:: Timing is crucial. If data protection is only added at the end of a project, it almost inevitably becomes a slowing factor. But if we are involved early, many issues can be structured properly from the outset. This applies, for example, to risk analyses, impact assessments, and the question of how data should actually be used.
This is particularly clear when it comes to AI. It involves training data, transparency, and governance — in other words, questions that cannot simply be “corrected later.”
That is why our approach is to help think through possible solutions from the start. In other words: How can a project be set up in such a way that it is legally sound while also working from both a technical and business perspective?
Where do you see data protection developing over the next few years, especially with regard to AI and cloud?
Andreas Lüning: Cloud technologies and artificial intelligence offer enormous opportunities — but they also present companies with new data protection challenges. Today, data protection is no longer a static set of rules, but a continuous process that takes technological developments into account as much as new laws, regulations, and current case law.
In addition to traditional tasks, such as maintaining the record of processing activities or regularly reviewing privacy notices, new questions are becoming increasingly important: How can cloud services be used in compliance with data protection requirements? What requirements apply to the use of AI? And how can innovation and data protection be meaningfully combined?
Effective data protection management therefore means continuously keeping an eye on legal, organizational, and technical developments, and constantly advancing the protection of personal data.
In addition to data protection, you also bring experience in areas such as AI regulation, information security, and audits. What role does this interdisciplinary perspective play specifically in the collaboration with G DATA?
Ali Tschakari: Today, data protection no longer works in isolation. Especially at a company like G DATA, many topics overlap — information security, regulatory requirements such as NIS2, and the new requirements surrounding AI.
When those responsible look at these topics separately, gaps or unnecessary friction often arise. That is why it is important to avoid silo thinking between legal, IT, and product development. In concrete terms, this means that we always have to consider data protection together with security requirements, technical realities, and future regulatory developments. My experience from audit projects as well as from training and consulting practice helps to build structures that are not only legally correct, but also auditable and sustainable.
There are many providers in the field of data protection consulting. What distinguishes your approach as an external data protection officer, particularly in the context of a technology-driven company like G DATA?
Ali Tschakari: Many consulting firms work in a highly standardized way, using templates and generic recommendations. In practice, however, that often does not go far enough. We do not advise on the basis of templates; we orient ourselves around actual systems and processes. We try to truly understand the processes, systems, and underlying product logic. On that basis, we develop solutions that also work in practice.
Through our projects and the close exchange within the Bitkom environment, we have a very clear picture of how requirements are developing and what actually proves effective. This allows us to assess many requirements before they become a problem — not just in theory, but in the form of concrete, implementable solutions. The goal is a solution that is legally sound and works in day-to-day practice.
From your perspective, what makes a collaboration successful so that data protection is truly lived within the company?
Ali Tschakari: At G DATA, there is a very high level of professional depth within the company, combined with an openness to implementing requirements systematically. This creates a situation in which data protection and AI compliance are not “imposed from the outside,” but are supported and actively shaped within the company itself. And that is exactly when these topics have an impact: when they are not viewed in isolation, but integrated into decisions, processes, and systems.
What would you recommend to other companies that are considering appointing an external data protection officer?
Andreas Lüning: An external data protection officer brings more than just the expertise of a single person. Companies usually benefit from an experienced team with different specialist focuses and extensive practical experience. This provides broader expertise, additional resources, and, where needed, specialist knowledge for complex issues.
At the same time, this team structure ensures a high level of reliability. Even during holidays, illness, or other absences, support remains guaranteed, and companies always have access to a competent contact person. This creates continuous and resilient support that can adapt flexibly to new legal and technical requirements.
Thank you for the interview.

Sentinel — Human

Confidence

The text reads as an authentic transcript of an expert interview focusing on the integration of data protection, security, and future technology, exhibiting the discursive flow of human dialogue.

Signals Detected
low severity: Moderate sentence length variance; use of complex subordinate clauses and direct, opinionated framing characteristic of expert interviews.
low severity: High internal coherence driven by a consistent narrative thread (Trust -> Process -> AI/Future), despite the multiple speakers.
low severity: Natural flow of dialogue; no verbatim talking points detected; attribution is contextual rather than purely quote-matching.
low severity: Claims regarding specific regulations (NIS2, CRA) and industry dynamics are presented in a manner consistent with expert commentary rather than synthetic assertion.
Human Indicators
The conversational structure of the interview, including direct responses building on previous statements, suggests genuine interaction between individuals.
The shift in focus and complexity of the discussion regarding evolving roles (from documentation to AI governance) shows a nuanced trajectory often found in expert consultation.