Based on the identified measures, the existing documents (privacy policy, contracts, etc.) need to be reviewed and updated if necessary. Missing documents should be created, and responsibilities and processes should be defined as needed.
The specific documents, policies, and processes to be created or defined depend on the circumstances of each individual case and may include:
- Updating the privacy policy on the website
- Creating missing documents
- Privacy policy for customers and other contractual partners
- Privacy policy for employees, and possibly also for job applicants
- Record of processing activities (exemption possible for SMEs, but recommended)
- Application inventory (exemption possible for SMEs, but recommended)
- Data protection impact assessment for high-risk processing
- Agreements with data processors
- Updating terms and conditions
- Updating contracts
- Optionally, a record of data protection incidents
- Defining processes and policies
- Internal Data Protection Policies
- Process for handling requests from data subjects
- Documentation of measures for data security protection
- Procedures for addressing data security breaches
- Data retention periods and deletion
- Processes and policies for ICT, cloud services, and marketing
- Adjusting systems or procuring new systems that are compliant
- Security policies for IT systems
- Data processing agreements (cloud services, marketing)
- Data transfers to foreign countries (secure/insecure countries)
- Compliance and risk assessments
- Employee training
