[kuschku]

EU law is written so it can apply for many decades – when the precursor of the GDPR was written (1995), MD5 was considered secure.

So, you should expect the "appropriate" part to mean the current state of the art to keep something secure.

An "appropriate" hashing algorithm today would be bcrypt, scrypt, or potentially still a salted SHA512 with many rounds.

An "appropriate" protection against unauthorised access would probably be a strict permissions setup in your AWS rules, proper firewalling, and potentially at-rest encryption.

An "appropriate" encryption would be AES 256 GCM.

"Appropriate" always just refers to the current state of the art for what is considered secure.

[spydum]

I agree with your points. I think mostly the problem is there is no one specific place to find the list of "appropriate" methods to achieve the objective. Someone working in the infosec field could probably spit them out, but a dev may not be so up to date on such nuances.

[shubb]

Isn't this a risk descision based on 'could I defend this against a likely prosecution'?

In that kind of situation, you'll probably end up getting measured against something between 'industry normal practice', and 'industry ideal practice'.

If you don't expect to actually get prosecuted or audited for compliance by a client or whatever, this probably doesn't matter much.

If you do, then you should probably look at whether an infosec consultant would pay for themselves in terms of avoidng fines or winning contracts.