The company should ensure that at least one named person assumes the responsibility for its IT security and responsible use of data.

1.1.1 Assign responsibility and authority to handle IT security and responsible use of data

The company should have an up-to-date written summary of the data and selected assets that enable it to run its business and exercise control according to:
– the relative importance to the company
– the company’s data subjects
– the company’s risk level

1.2.1 Overview of personal data
1.2.2 Overview of business-critical data
1.2.3 Overview of IT systems, services, network components, devices, software and activity-based algorithms/AI use-cases

The company should have a policy for IT security approved by management, which is communicated internally, revised at least once a year and updated whenever there are significant changes in the company’s activities.

1.4.1 Policy for IT security

The company should have an IT contingency plan to handle incidents.

1.5.1 IT contingency plan

The company should have a policy for handling personal data and a policy for data ethics, approved by management. These policies should be communicated internally, revised at least once a year and updated whenever there are significant changes in the company’s activities.

1.6.1 Policy for processing personal data
1.6.2 Policy for data ethics

The company should have a development lifecycle to ensure that functional and non-functional requirements (including requirements from D-seal) are specified and implemented. Tests should then be performed to determine whether they have been implemented effectively and whether they are being maintained. D-seal lays down a number of requirements to be incorporated into the development lifecycle in criteria 6 (Privacy & Security by Design & Default) and 7 (Trustworthy algorithms and AI).

1.7.1 Requirements for the development lifecycle