Data should be protected against accidental or unlawful destruction, loss, alteration and disclosure.
Must take proactive measures to enhance data security.
Must design the internal data processing procedure and continue assess the security.
Is the organization planning how to develop its technology, products, processes and organizational structure with data protection and privacy as key components, and is it aware of the gaps for doing so?
Is the organization aware of technologies to encrypt personal data and has it encrypted some personal data such as government identification numbers, birthdates, or banking numbers?
Does the organization have an on going effort to identify needed people, process and technology controls to protect the confidentiality, integrity, and availability (CIA) of personal data?
Is the organization aware of the potential impacts from breaches of personal data and does it have a response plan in place?
Does the organization perform testing of its security measures, whether through technical means, social engineering, or tabletop exercises?