Article 32 of the GDPR sets out the security obligations for controllers and processors with regards to personal data processing. It stipulates that they shall take ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. One of the elements to assess the appropriateness of the measures is ‘the state of the art’. This panel will inquire into the practical and theoretical aspects of ‘the state of the art’ notion, both from a legal and a technical perspective, aided by practical experience from the industry. This should contribute to a better understanding of challenges and potential solutions.