Trying to limit both the probability of a data breach happening and the severity of it should it still happen, e.g.:<p>1. Enforcing FileVault etc. on company laptops.
2. Internal storage: Reviewing servers' security, limit duplication of sensitive data, review access control
3. Checking external dependencies: where do third parties store data? E.g. Dropbox is not GDPR compliant yet[0], they are cutting it fine.
4. Enforcing 2FA.
5. Ensuring we have an audit trail of having assessed the GDPR impact.<p>[0] <a href="https://www.dropbox.com/help/security/general-data-protection-regulation" rel="nofollow">https://www.dropbox.com/help/security/general-data-protectio...</a>
Currently product managers and some dev leads are currently working with our legal teams to build requirement epics around GDPR to be worked on very early next year by development teams.<p>About a year ago we had a big push to be fully HIPAA compliant, so we're following a similar process. Luckily, we are hosted on Amazon and already "do the right thing" in terms of encrypting PII and storing it in the closest AWS region, so hopefully it's not too much of a huge lift.