Which of the following should be done FIRST when establishing security measures for personal data stored and processed on a human resources management system?

A. Conduct a privacy impact assessment.
B. Evaluate data encryption technologies.
C. Move the system into a separate network.
D. Conduct a vulnerability assessment.