A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.
Entity conducts Data Protection Impact Assessments periodically in order to assess the regulatory risks associated with processing of personal data
Entity ensures that appropriate remediation measures are in place when personal data is shared with vendors as a part of its processing activities