The GDPR says that data protection principles should be implemented by default and by design. In other words, privacy should be a foundational building block of any business.
What this means in technical terms depends on the state of modern technology. The GDPR proposes security measures such as anonymization and pseudonymisation, but one could argue that these are quite generic. In fact, best practices are in a constant state of flux, so today’s security measures may not even make the cut tomorrow.
There is also a clear gap between the legal intentions of the GDPR and the technical practices it recommends. Vice versa, there is a lack of privacy and human rights related discussions in the most commonly used engineering textbooks. So, it seems that both legal and technology professionals could benefit from better collaboration.
Until then, we recommend keeping abreast of the latest security practices, hiring security professionals, and making sure that the handling of all personal data is kept under close and strict supervision.