A company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?
Trap 1: Implement client-side encryption with a key management service.
Client-side encryption adds complexity but is not required by GDPR if server-side encryption is already in place.
Trap 2: Automatically delete backups older than 30 days.
Backup retention policies are operational, not a specific GDPR accountability control.
Trap 3: Apply data masking to all personal data fields before storage.
Data masking is used for non-production environments, not for meeting accountability.
- A
Implement client-side encryption with a key management service.
Why wrong: Client-side encryption adds complexity but is not required by GDPR if server-side encryption is already in place.
- B
Enable detailed logging of all access to encrypted data.
Logging provides an audit trail to demonstrate compliance with GDPR accountability.
- C
Automatically delete backups older than 30 days.
Why wrong: Backup retention policies are operational, not a specific GDPR accountability control.
- D
Apply data masking to all personal data fields before storage.
Why wrong: Data masking is used for non-production environments, not for meeting accountability.