The GDPR refers to specific data protection mechanisms only through the term state of the art. It does this, to make sure the legislation does not become obsolete as technology advances. But the term includes all aspects of authentication, authorization, encryption, signatures, hashes, penetration tests, monitoring, logging, and so on, discussed throughout this book. But the GDPR makes an important requirement: data protection must be implemented by design and by default.
Data protection by design means that it is not sufficient to add security as a varnish, or as a layer on top of an otherwise unprotected solution. Adding a login page is not sufficient, if the underlying APIs or database layers are unprotected.