Data Protection and BCM: Why Resilience Only Works When Combined

Introduction: From obligation to capability

Data protection has always been more than just consent forms and directories. It is a promise to people that their data will be protected—even in times of crisis. The GDPR not only requires confidentiality, but also system availability and resilience.

Business continuity management (BCM) goes far beyond standard IT contingency plans. It ensures that organizations remain capable of acting in the event of cyberattacks, supply chain failures, or supply shortages. Nevertheless, data protection and BCM remain organizationally separate in many companies.

Yet it is precisely their interaction that is crucial when it really matters.

1. Data protection and BCM: The underestimated connection

Article 32 of the GDPR obliges companies to ensure the availability of their systems. This applies not only to technology, but also to processes, roles, and tests.

Standards such as ISO/IEC 27001 or the BSI standard 200-4 specify these requirements. They make it clear that data protection responsibility is hardly achievable without functioning BCM.

What does availability mean in the context of data protection?

Within the framework of the GDPR, availability is often interpreted in technical terms, for example through redundant systems, backups, or failover mechanisms. But in practice, there is more to it than that: organizational measures such as clear substitution rules for data subject requests, an emergency email address for supervisory authorities, or prioritized escalation levels are also included. The key point is that the protection of personal data must remain guaranteed even in exceptional situations, not just in theory but in practice.

2. Three pitfalls in practice

Silos instead of cooperation

Data protection and BCM often run parallel to each other. This leads to conflicting goals. Added to this are the requirements of information security. If data protection specifies zero downtime, but BCM plans 48 hours for recovery, conflict is inevitable.

Misinterpretation of protection requirements

Not all sensitive information requires high availability, and not all business-critical applications contain personal data. Mixing the two means investing in the wrong place and risking gaps elsewhere.

Language barriers between departments

BCM works with RTO, RPO, and MTPD. Data protection works with TOMs and reporting deadlines. Without a common terminology, misunderstandings arise. This is a dangerous risk, especially in an emergency. Data protection and BCM must develop a common language and a common understanding of terminology. Communication is key.

3. Integration – how it works in practice

Make GDPR-relevant processes visible

The processing of data subject requests or the management of data breaches belong in the business impact analysis. This is the only way to ensure that they are prioritized in an emergency and that data protection and BCM are integrated.

Coordinate target systems

Recovery times and protection requirements should be synchronized. Reporting deadlines must also be coordinated. Otherwise, there is a risk of conflicting objectives, which can lead to friction in a crisis.

Clarify responsibilities

Who informs whom? Which role comes into play when? Clear communication chains save valuable time in an emergency. Role plans should be coordinated across functions between data protection, BCM, and ISMS.

Establish controls and tests

Regular testing of backup and emergency plans is not optional. It is mandatory and a criterion for GDPR compliance. Only tested processes can be reliably verified in an audit and, more importantly, applied in an emergency.

Consolidate the tool landscape

Distributed Excel lists, unconnected Word documents, and scattered tools make it difficult to maintain an overview. Integrated systems for data protection and BCM create transparency and speed. Reporting chains can also be mapped more efficiently in digital systems with workflows. The ISMS should be integrated as well, as it often provides the common database for data protection and BCM.

4. Reporting obligations: More complex than expected

Reporting obligations for security-related incidents are no longer limited to the GDPR. Companies, especially those in regulated industries or with critical infrastructure (KRITIS), must comply with several sets of rules at the same time – often with different deadlines, addressees, and thresholds.

GDPR – Reporting data breaches

According to Art. 33 GDPR, breaches of personal data protection must be reported to the competent supervisory authority within 72 hours. This requires that the data protection officer be informed at an early stage, which necessitates seamless integration into BCM and ISMS structures.

BSIG – Reporting to the BSI pursuant to Section 8b BSIG

Companies that fall under the BSI Act – in particular KRITIS operators – must report significant IT disruptions to the Federal Office for Information Security in accordance with Section 8b BSIG. The threshold for the reporting obligation is defined in industry-specific security standards (B3S) and differs significantly in some cases from the GDPR perspective.

NIS2 – Outlook for additional reporting obligations

The national implementation law for the EU Directive NIS2 significantly expands the group of entities subject to reporting obligations, including many medium-sized companies in essential sectors such as digital services, energy, health, and transportation. Staggered reporting deadlines (e.g., advance notification within 24 hours) are planned, which make good coordination in the event of a crisis absolutely essential.

Further industry-specific requirements: B3S, TISAX®, etc.

Depending on the sector, additional requirements may apply from industry-specific regulations – for example, in healthcare (B3S Health), the automotive industry (TISAX®), or the financial sector. These standards usually require documented processes for incident handling and verification in audits.

The challenge: one incident – four obligations?

A single IT security incident can potentially trigger several parallel reporting obligations. Without coordinated processes, clear roles, and consistent communication, the following risks arise:

– Delays in initial assessment

– Incomplete reports

– Missed deadlines

– Duplicate and incorrect reports

Therefore, consolidating reporting channels and coordinating data protection, information security, and BCM is not a formality, but essential for an organization’s legal compliance, auditability, and resilience.

5. Practical example: With or without BCM?

A manufacturing company experiences a targeted cyberattack.

Scenario 1: There is no coordinated structure. The data protection officer learns of the incident too late. The GDPR report is submitted too late. The result: fines and damage to reputation.

Scenario 2: BCM and data protection work together. The report is submitted on time. IT knows what to do and when, and the company continues to operate in emergency mode. Management retains control. Result: no fines, but trust from customers and regulators.

Practical check for companies

Companies should regularly check whether their data protection and BCM structures are integrated with each other. A simple check: Is the IT emergency plan also available to the data protection officer? Does the ISMS contain clear instructions on how to fulfill GDPR reporting obligations in the event of security incidents? Are BCM RTOs aligned with the data protection process deadlines? If not, urgent action is required.

FAQ: Frequently asked questions about data protection and BCM

• What is the difference between data protection and BCM?
• Data protection protects personal data, while BCM ensures the continuation of critical business processes. The two complement each other, especially in crisis situations.
• Do data protection processes have to be included in the BIA?
• Yes, in particular reporting processes in accordance with Art. 33/34 GDPR and data subject rights should be considered in the Business Impact Analysis (BIA).
• What is the difference between data protection and BCM?Data protection protects personal data, while BCM ensures the continuation of critical business processes. The two complement each other, especially in crisis situations.
• Do data protection processes have to be included in the BIA?Yes, in particular reporting processes in accordance with Art. 33/34 GDPR and data subject rights should be considered in the Business Impact Analysis (BIA).
• What reporting deadlines apply in an emergency?GDPR: 72 hours from the time an incident becomes known. More specific reporting deadlines may be shorter. A coordinated emergency structure is therefore mandatory.
• How often must BCM and data protection plans be tested?Emergency and recovery plans should be reviewed at least once a year to ensure they are up to date and effective, ideally through staff exercises, plan reviews, or technical tests (penetration tests). An unscheduled test is advisable in the event of significant changes to IT operations or the organizational structure.
• What role do data protection officers play in crisis management?
  Data protection officers should be named in the emergency plans and involved at an early stage – their expertise is required in the event of security incidents involving personal data. Their involvement is a prerequisite for GDPR-compliant assessment and timely reporting.
• What does RTO mean in the context of data protection processes?
  The “Recovery Time Objective” defines how quickly a process or system must be restored after a failure. A maximum tolerable downtime window should also be defined for data protection processes such as data subject rights or incident reporting, in line with legal deadlines.
• How can BCM and data protection be combined in the ISMS? An effective ISMS should address BCM and data protection requirements together, e.g., through integrated risk analyses, uniform role models, and centralized control of measures. In terms of tools, it is advisable to use platforms that integrate data protection, information security, and BCM and use a common database.
• How does outsourcing, e.g., to the cloud, affect BCM and data protection?Outsourced services must be contractually and technically integrated into BCM and data protection structures. This includes restart times, responsibilities in the event of incidents, and access to relevant supporting documents, including those held by third parties. In particular, the interfaces in emergency communication must be examined.
• What role does crisis communication play in the interaction between data protection and BCM? Crisis communication is a central component of both disciplines; strictly speaking, it is even a discipline in its own right that is too often overlooked: Data protection requires timely and complete information to be provided to supervisory authorities and, where applicable, to the persons concerned, while BCM focuses on company-wide internal and external communication to maintain critical processes. Without coordinated communication plans, there is a risk of contradictory statements or missed deadlines.
• How can documentation requirements in data protection and BCM be combined?Both GDPR and BCM requirements (or ISMS requirements) require documented processes, responsibilities, and evidence of testing, training, and incident response. Companies should use a central system or an integrated management system (IMS) to bundle relevant evidence in one place. This saves effort, increases transparency, and improves auditability for external auditors or supervisory authorities.
• What reporting deadlines apply in an emergency?
• GDPR: 72 hours from the time an incident becomes known. More specific reporting deadlines may be shorter. A coordinated emergency structure is therefore mandatory.
• How often must BCM and data protection plans be tested?
• Emergency and recovery plans should be reviewed at least once a year to ensure that they are up to date and effective, ideally through staff exercises, plan reviews, or technical tests (penetration tests). An unscheduled test is advisable in the event of significant changes to IT operations or the organizational structure.
• What role do data protection officers play in crisis management?
• Data protection officers should be named in the emergency plans and involved at an early stage – their expertise is required in the event of security incidents involving personal data. Their involvement is a prerequisite for GDPR-compliant assessment and timely reporting.
• What does RTO mean in the context of data protection processes?
• The “Recovery Time Objective” defines how quickly a process or system must be restored after a failure. A maximum tolerable downtime window should also be defined for data protection processes such as data subject rights or incident reporting, in line with legal deadlines.
• How can BCM and data protection be combined in the ISMS?
• An effective ISMS should address BCM and data protection requirements together, e.g., through integrated risk analyses, uniform role models, and centralized control of measures. In terms of tools, it is advisable to use platforms that integrate data protection, information security, and BCM and use a common database.
• How does outsourcing, e.g., to the cloud, affect BCM and data protection?
• Outsourced services must be contractually and technically integrated into BCM and data protection structures. This includes restart times, responsibilities in the event of incidents, and access to relevant supporting documents, including those held by third parties. In particular, the interfaces in emergency communication must be examined.
• What role does crisis communication play in the interaction between data protection and BCM?
• Crisis communication is a central component of both disciplines; strictly speaking, it is even a discipline in its own right that is too often overlooked: Data protection requires timely and complete information to be provided to supervisory authorities and, where applicable, to the persons concerned, while BCM focuses on company-wide internal and external communication to maintain critical processes. Without coordinated communication plans, there is a risk of contradictory statements or missed deadlines.
• How can documentation requirements in data protection and BCM be combined?
• Both GDPR and BCM requirements (or ISMS requirements) require documented processes, responsibilities, and evidence of testing, training, and incident response. Companies should use a central system or an integrated management system (IMS) to bundle relevant evidence in one place. This saves effort, increases transparency, and improves auditability for external auditors or supervisory authorities.

6. Availability starts with leadership

Availability is not a technical detail. It is an expression of responsibility—strategic, organizational, and operational. When critical systems or processes fail or data is lost, it is not only technical deficiencies that become apparent, but also shortcomings in planning, prioritization, and communication. And this is precisely where the task and responsibility of company management begins.

Anyone who takes operational resilience seriously must anchor data protection and BCM, and, thinking further ahead, information security as well, as integral components of corporate management—not just in the rules and regulations, but in the thinking and actions of all management levels. After all, emergencies are not a matter for individual departments, but a test for the entire company.

Leadership is demonstrated by setting clear goals, for example in the form of measurable restart times for data protection-related processes. It is demonstrated by providing resources for testing, training, and systems. It is demonstrated by the ability to visibly take responsibility in an emergency: transparently, coordinated, and comprehensibly.

This also includes integrating key figures for organizational resilience into corporate management: How many critical processes are documented for emergency situations? What reporting deadlines can be met under real conditions? How often are data protection and BCM tested together?

Leadership does not mean knowing everything yourself, but asking the right questions, empowering the right people, and creating a culture in which organizational resilience does not exist on paper, but is lived and breathed. This is precisely the difference between symbolism and substance.

Those who delegate availability without strategically anchoring it risk not only operational failures but also trust: among customers, regulatory authorities, and employees. Those who understand it as a management task, on the other hand, lay the foundation for a robust, responsible company.

Conclusion: Data protection and BCM are two sides of the same coin

Data protection and BCM, or business continuity management, are not separate disciplines with their own agendas; they are complementary parts of a shared responsibility: protecting people and companies in crisis situations. If you really want to protect personal data, you cannot ignore the issue of availability. Similarly, a BCM that is purely technical and ignores data protection obligations can be dangerously incomplete in an emergency.

Practice shows that only by taking an integrated view of both systems can resilience, legal certainty, and operational capability be achieved simultaneously. This is not about additional bureaucracy or “shelfware,” but about efficiency through clarity: coordinated recovery times, consolidated reporting channels, transparent responsibilities, and tested processes.

Organizations that consciously integrate data protection and BCM are not only acting in compliance with standards, they are actively investing in trust. Trust from regulatory authorities, customers, partners, and, last but not least, from their own employees, who can rely on functioning structures.

Organizational resilience is not a coincidence, but the result of preparation, communication, and leadership. It begins at the highest level of management, is specified in strategies, operationalized in roles – and proven in emergencies. Companies that no longer think of data protection, BCM, and information security as separate entities, but rather design them together, create a sustainable competitive advantage in a world where outages, cyberattacks, and data breaches are no longer hypothetical risks, but a sad part of everyday life.

Those who want to not only survive the next crisis, but also overcome it with confidence, need both perspectives: data protection and BCM, as two sides of the same coin.

Christopher Schroer

Experte für digitale Resilienz, Datenschutz und strategische IT-Governance Christopher Schroer ist geschäftsführender Gesellschafter der firstbyte digital consulting gmbh. Seit über 20 Jahren begleitet er mittelständische Unternehmen bei der Entwicklung robuster digitaler Strategien an der Schnittstelle von IT-Sicherheit, Datenschutz, Resilienz und Zukunftsforschung. Seine besondere Stärke: die Verknüpfung von technischem Know-how, regulatorischer Expertise und strategischem Gestaltungsvermögen. Er denkt IT-Governance konsequent ganzheitlich – von DSGVO bis KI-Ethik, von ISO 27001 bis NIS2 und TISAX®. Dabei stehen Umsetzbarkeit, Wirkung und unternehmerische Passung stets im Mittelpunkt. Sein Beratungsstil: wissenschaftlich fundiert, unternehmerisch gedacht, praxisorientiert vermittelt. Viele Kunden vertrauen ihm seit mehr als einem Jahrzehnt, gerade wenn es darum geht, Digitalisierung sicher, wertebasiert und zukunftsfähig zu gestalten.