If your organization is willing to spend the time, effort, and money getting certified in ISO/IEC 27001, that’s half the battle! GDPR has some prescriptive requirements but, at the end of the day, 27001, NIST 800-53, HIPAA – you name it, are all saying essentially the same things. Execute on the security basics over and over and over again. Relentless incrementalism is key. As soon as you let your guard down or fail to acknowledge risks in whatever areas, that’s when you’ll get hit.