One of the areas of GDPR that has gotten a lot of attention is the concept of Data Protection by Design and Default. This concept is outlined in Article 25 of GDPR.
The concept of data protection by default and design can be broken down into two areas.
There is an overlap between the areas of privacy and security in how GDPR requires aspects of both. The overarching message is that organizations, in order to comply with GDPR, need to design a program to minimize data collection and processing to the minimum necessary data, and then they need to implement security, both technical and organizational, to protect that minimum amount of data. These requirements are far-reaching within an organization.
GDPR mandates privacy policies and procedures for personal data collection and security implementations to protect personal data.