Certified Information Systems Security Professional (CISSP) — Question 75

The European Union (EU) General Data Protection Regulation (GDPR) requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The Data Owner should therefore consider which of the following requirements?

Answer options

• A. Never to store personal data of EU citizens outside the EU
• B. Data masking and encryption of personal data
• C. Only to use encryption protocols approved by EU
• D. Anonymization of personal data when transmitted to sources outside the EU

Correct answer: B

Explanation

The correct answer is B because data masking and encryption are essential measures to protect personal data under GDPR. Options A and D are overly restrictive, as GDPR does not prohibit storing data outside the EU if adequate protections are in place. Option C is incorrect since GDPR does not specifically mandate the use of only EU-approved encryption protocols.