Mandatory security measures depend on risk level.
Taking into account the state of the art, the costs of implementation […] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including” (Article 32 GDPR: Security of processing).
Consider areas particularly controlled and subject to fines and sanction
Data breaches notification and measures.
Privacy by design.
Privacy notices and policies.
Efficient measures to face data subject’ rights and respond to requests.
Specific audit and measures for transfers out of the Union.
identify potential risks on the base of data audit, gap analysis and risk classification.
Risk analysis report.