The General Data Protection Regulation (GDPR) has been in force for over a month. Many organisations are still in the process of putting all the necessary organisational procedures in place and looking for cost-effective solutions to implement all GDPR requirements. Among other things the GDPR requires that a data manager should adopt appropriate technical and organisational procedures, but a detailed description is not provided. In practice, organisations are facing substantially different requirements — acceptable to some entities but unreasonable, expensive and unnecessary for others. How do we check that our security procedures are adequate and demands our business partners make are not excessive?