Every week we see the same pattern. A scale-up is close to signing an enterprise contract. The client's procurement team sends a security questionnaire. The operations director forwards it to the IT lead, who spends two days pulling together answers from memory and half-documented internal processes. The questionnaire goes back. The client's security team follows up with specific questions about GDPR Article 32 compliance. Things slow down.

The problem is rarely that the company lacks adequate security. The problem is almost always that they cannot demonstrate it in a structured, auditable form. This is the GDPR security gap — and it is fixable without rebuilding your security posture from scratch.

What Article 32 actually says

Article 32 requires controllers and processors to implement "appropriate technical and organisational measures to ensure a level of security appropriate to the risk." It then lists four specific examples of what that can include: pseudonymisation and encryption, confidentiality and integrity assurance, restoration capability, and regular testing and evaluation of measures.

Two things matter here. First, the standard is proportionate to risk — not prescriptive. A company processing employee payroll data faces different requirements than one processing health data or financial transactions. Second, the obligation is ongoing: "regular testing and evaluation" means you cannot do this once and file it away.

What regulators and enterprise buyers want to see is evidence of a systematic approach — not just a list of controls you have deployed.

The documentation gap

Most mid-size and scale-up companies have reasonable technical controls. They use MFA on critical systems, they encrypt data at rest, they have access controls, they take backups. The gap is that none of this is documented in a form that answers the Article 32 question directly.

When a German enterprise buyer or a supervisory authority asks "how do you ensure a level of security appropriate to the risk under Article 32 DSGVO," they expect a specific answer structure:

  1. What personal data do you process, and what is the associated risk level?
  2. What technical measures are in place for each risk category?
  3. What organisational measures govern access, handling, and incident response?
  4. How do you test and evaluate these measures, and how often?
  5. What is your incident response and breach notification procedure?

If you cannot answer these five questions with documentation rather than verbal assurance, you have the documentation gap — regardless of how good your actual controls are.

What auditors and enterprise buyers look for

Enterprise security questionnaires vary significantly, but they converge on the same underlying questions. In German-market enterprise procurement, we consistently see requests for:

  • A record of processing activities (Verzeichnis von Verarbeitungstätigkeiten) that includes data categories, retention periods, and recipient categories
  • A data processing agreement (DPA) that reflects your actual processing activities — not a generic template
  • Evidence of a most recent security review or assessment — ideally an external one
  • An incident response procedure with documented notification timelines
  • Supplier and sub-processor documentation showing you have assessed their security posture

Supervisory authorities (the Landesdatenschutzbehörden in Germany) tend to focus on the same areas when they receive a complaint or conduct a sector audit. The Bavarian State Office for Data Protection Supervision (BayLDA) published audit criteria in 2024 that closely mirror this list.

The quick wins: where to start

If your goal is to close a deal in the next six to twelve weeks, focus on the items that enterprise buyers request first and that can be produced relatively quickly with existing information:

First, update your record of processing activities to reflect your actual current data flows. Most companies have a version of this from their initial GDPR implementation in 2018 that has not been maintained. An outdated one is worse than none — it exposes gaps between what you said you do and what you actually do.

Second, produce a one-page security measures summary that maps your controls to Article 32 categories. This does not need to be a lengthy document — it needs to be accurate and structured. Many enterprise buyers accept a well-structured two-page security overview as sufficient for initial due diligence.

Third, document your incident response procedure in terms of the GDPR 72-hour notification timeline. If you have never written this down, the act of writing it will reveal whether your current process would actually work under time pressure.

What requires more time

The items above address the immediate enterprise sales problem. The underlying Article 32 obligation requires more: a risk assessment that is proportionate to your specific data processing activities, regular testing of your security measures, and an ongoing process for reviewing and updating your controls as your environment changes.

Building this properly takes longer than closing a deal. But the two are not in conflict — you can produce deal-closing documentation from your existing controls while building the systematic approach in parallel.

Need GDPR Article 32 documentation?

We produce Article 32 security documentation from your existing controls — structured for enterprise client questionnaires and supervisory authority review.

Discuss your situation

Renata Voss

Compliance and Risk Lead, EncryptEdge One

Renata leads NIS2, GDPR, and ISO 27001 engagements at EncryptEdge One. She holds a postgraduate qualification in information law from Universität zu Köln and previously advised companies on supervisory authority audits under the DSGVO.