An EU analyst must implement a new high-risk personal data storage system in the cloud for an external policy project. The system processes sensitive data that could reveal the racial or ethnic origin of individuals. The analyst must ensure compliance with the GDPR and data security. According to the fundamental principles of the GDPR and EU cyber security best practices, which of the following technical and organisational measures is the most critical and specific to mitigate the risk of sensitive data being accessible by unauthorised personnel, even in case of a cloud provider security breach?