Well, the obvious thing is that we have to abide by it.
The interesting thing is that patient data protection has its own separate regulations in the US and EU markets and that evidence for compliance is not part of the submission process.
I believe FDA was the pioneer of patient data protection through HIPAA and HITECH acts, and the rest of the major markets will follow.
From an RA prospective you need to do the best you can not to include patient health information in your device (~information that identified the patient), but as the digital era and wirelesses communiction expands - it will become more and more a must to include a set of SOPs, WI, and forms as part of your QMS in order to protect patient privacy. It's a big deal. I'm doing one myself right now.
There will be a constant challenge to keep up with all the changes and updates with respect to cybersecurity.
Well, we've followed "standard" GDPR/ISO27001 approach.
Documented personal data categories - in order to know what personal data we are processing.
Conducted risk assessment for these categories - to identify personal data security risks. When doing the assessment remember here about CIA - Confidentiality, Integrity, Availability properties of the information security.
Prepared the risk treatment plan with the currently implemented security measures and those we want/have to implement.
Implemented personal data security measures in three ares: organization, technology, and contractual. On the technology side, remember about these measures that GDPR references directly: encryption, backups, confidentiality, and keeping systems operational.
Then, we keep personal data secure in operations by executing Operations Management Process by IT System Administrators. I personally think this is the most important step in that process.
Finally, at least once a year, or on major change in the company environment, we review the security of the personal data Information Security Management System
Generally we extended slightly ISO 27001 Information Security Management System with GDPR specifics.