[Thespian2]

As others have said, the law isn't a technical spec. it describes what you should do, not how you should do it. The concept of "due care" http://www.businessdictionary.com/definition/due-care.html

comes in to play here. GDPR, at its core, is about legally requiring businesses to care for customer data. It gives customers increased control over how their data is used, and how it should be protected.

In answer to OP's question "how do I know it is appropriate," as a first pass, how would you feel if your most important personal data were being treated that way? As a developer, if that makes you uncomfortable, that's probably a warning sign.