If you believe the information security industry, implementing GDPR is a technology problem. That’s plain wrong. Of the 99 articles in GDPR, only one is explicitly about security. We’ll examine that article’s language and discuss what are 'state of the art', 'the rights and freedoms of natural persons' and 'appropriate technical and organisational measures'. However this isn’t the real security problem. To allow data subjects to exercise their fundamental rights, organisations will need to develop ‘rights portals’ which will bring their own security and identity management challenges.