Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
1) Database has password
2) Backups exist
3) Monthly audit that access is not done by Rogue Sysadmin and stuff is not being used for spamvertisements
4) Someone is called "Security Officer"