Organizations must protect PII in a number of different ways, and must be able to demonstrate due diligence in keeping records of processing activities, including the categories of personal data processed, the purposes of processing, categories of recipients of PII, transfers to third countries, and the relevant technical and organizational security measures, as well as ensuring that only authorized users have access to the data.
