Can the organization ensure the required data security measures? Does this require additional resources, security, legal or other measures?