As much as I want to comply to GDPR, I think its articles difficult to understand, like many other law documents. https://gdpr-info.eu/ As an engineer, I found it is very difficult to translate from the regulation text to code, to actual implementation. Taking the following statement as an example: https://gdpr-info.eu/art-5-gdpr/ >>> (Personal data shall be) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). === "In a manner". In what manner? What's "appropriate security" and "appropriate technical measures"? How to interpret it? There seems to be much flexibility? Every website has some security measures to protect data to certain degree. How do I know if that's "appropriate" or enough to meet GDPR? Do I need symmetric encryption? Or Do I need asymmetric encryption? Which kind of crypto hash is considered "appropriate"? What if I use a database which is insecure by flaws, but I don't know or don't have the technical strength to know it? What if encryption on my backend caused performance penalty? What if I run a hosted, non-profit BBS based on certain open source BBS program that might be insecure? Should I patch the server with OS Update JKB8948, which is known to fix a security hole but opens another? is it an "appropriate measure"? I found this regulation put too much burden on small businesses. Just to understand this GDPR text may require consulting cost. What if this law will be abused as a tactic to attack business competitions? I'm worried. How do you understand this "security appropriateness" of the above text? How can you be sure your understanding is correct?