The entrance in force of the GDPR set new challenges and opportunities for Europe-based companies. In particular, the new regulation puts cyber security under the spotlight as a fundamental requirement to guarantee data protection. Indeed, as the digital revolution has paved the way to international businesses and new market ventures, so has also increased the threats from cyber attacks. In 2016, 4 billions of personal data records have been hacked [Verizon “Data Breach Investigations Report, 2017”]. The necessity of higher security is indeed encapsulated by the GDPR, which poses ‘data security’ and ‘data protection’ as fundamental human rights. An effective action toward compliance requires not only skills, but most importantly the cultural shift to acknowledge that data protection regards people and processes before than technology; GDPR requires this to become central as much as the core business for every enterprise or small to medium company in the modern digital era.