organization. Administrators grant access to data based on guidelines
               provided by the data owners. A custodian is delegated day-to-day

               responsibilities for properly storing and protecting data. A user (often
               called an end user) accesses data on a system.

               The EU General Data Protection Regulation (GDPR) mandates
               protection of privacy data and restricts the transfer of data into or out
               of the EU. A data controller can hire a third party to process data, and
               in this context, the third party is the data processor. Data processors

               have a responsibility to protect the privacy of the data and not use it
               for any other purpose than directed by the data controller. Two key
               security controls mentioned in the GDPR are encryption and
               pseudonymization. Pseudonymization refers to replacing data with
               pseudonyms.

               Security baselines provide a set of security controls that an
               organization can implement as a secure starting point. Some

               publications (such as NIST SP 800-53) identify security control
               baselines. However, these baselines don’t apply equally to all
               organizations. Instead, organizations use scoping and tailoring
               techniques to identify the security controls to implement in their
               baselines. Additionally, organizations ensure that they implement
               security controls mandated by external standards that apply to their
               organization.