Requirements and acquisition

Goal: Ensure requirements include explicit privacy and security criteria.

1. Define functional, privacy and security requirements. Include purpose limitation and data minimization requirements.
   
2. Conduct Privacy Impact Assessment (PIA) and update risk register. 
   
3. Translate risks into measurable security requirements like encryption, RBAC, logging and retention. 
   
4. For procurement: include security clauses, acceptance criteria and tender security evaluation.
   
5. For third parties: require evidence of prior security audits and contractual data protection obligations.