The GDPR’s requirements were purposefully left flexible to be adaptable to many types of companies and circumstances. Sensible though the legislators’ goal of flexibility may be, it can be frustrating for data security teams to try to translate a standard into specific policies, procedures and practices, and organizations are eager to obtain prescriptive guidance. The U.K.’s Information Commissioner’s Office (ICO) has provided such guidance, and in this guest article, Hogan Lovells attorney Nathan Salminen analyzes the advice and distills the valuable insights it gives, focusing on some of the most noteworthy topics discussed including mobile devices, patching, service providers, documentation of decisions, locking down systems and devices and patching. See also “Direct From the Irish Data Commissioner: GDPR Enforcement Priorities (Part Two of Two)” (May 2, 2018).