[TXV]

The GDPR isn't a set of technical specs. It purposefully sets out broad guidelines and leaves the implementation to each data-handling organization. Obviously the requirements and challenges of a hospital are much different than those of an e-commerce. Therefore, it is the organization, or more precisely its DPO, that has to define what is "appropriate" to their business.

Then, according to your interests/knowledge/SOW, you can act as a security consultant who gives proactive advice, or as a contractor that develops a solution from a set of specs.