Development of the following policies and documents

•Personal Data Protection Policy (Art. 24 (2) GDPR)

•Inventory of Processing Activities (Art. 30 GDPR)

•Security incident response policy: Within 72 hours you must notify your supervisory authority about the leak (Art. 33 GDPR), you must notify the data subject that his data has leaked (but under certain conditions you may not do this) (Art. 34 GDPR)

•Data Breach Notification Form to the Supervisory Authority (Art. 33 GDPR)

•Data Breach Notification Form to the Data Subjects (Art. 34 GDPR)

•Data Retention Policy Articles 5(1)(e), 13(1), 17, 30

“Nice to have“ policies

•Data Disposal Policy

•Backup policy

•System access control Policy

•SLA and escalation procedures

•Cryptographic control policy

•Disaster Recovery and business continuity

•Coding standards and rollout procedure

•Employment policy and processes

In order not to produce a bunch of documents, you can combine them into one IG Policy (Information Governance Policy)

There are no clear regulations in the GDPR which security controls to apply, but the architecture should be built according to the principle of Data Protection by design and by default (Art. 25 GDPR)

•Firewalls, VPN Access

•Encryption for data at rest (whole disk, database encryption)

•Encryption for data in transit (HTTPS, IPSec, TLS, PPTP, SSH)

•Access control (physical and technical)

•Intrusion Detection/Prevention, Health Monitoring

•Backups encryption

•2-factor authentication, Strict authorization


•And others, depending on the system