The French data protection authority has published new guidelines on the security of personal data, with practical recommendations to help businesses implement appropriate measures to protect personal data in compliance with the GDPR. Although the GDPR provides some guidance, the CNIL acknowledges that determination may be difficult for businesses that are unfamiliar with risk management methods in terms of data processing. The CNILs recommendations are organized in 17 themes to advise organizations on how to comply and document their security obligations, but also as a practical tool for conducting privacy impact assessments.