There is a real buzz at the moment across most industries on the impacts of the forth coming General Data Protection Regulation. 

From what I have seen there are two camps in most businesses: those who have studied the legislation and supporting documents, and those who have formed a high-level view that there is "new regulation coming that means we have to encrypt and protect our data more, and if we don't we could lose 4% of our revenue in fines".

I stumbled across this blog by Peter Galdles and felt that it provides a good middle ground, highlighting the key components of the regulation and then explaining each component to a consumable level of detail upon. The upshot being that it then becomes easier to start to envision the impact that this legislation will have on different industries and the different players within those industries (e.g. end customers, suppliers, service providers, technology outsourcers etc...)

The sector that I work within, Insurance, is an industry that has typically held a lot of data about it's clients and therefore it is safe to assume that this legislation will require organisations in the sector to invest in data technology and undertake wholesale reforms of their data governance and controls. 

However, what stood out for me was Peter's definition of "Personal data" being:

“any information relating to an person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

So in many cases online identifiers including IP address, cookies and so forth will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject."

This not only highlights the wide-spread impact of this regulation across pretty much every industry (perhaps less so in primary sectors), but interestingly it shines a spotlight on the impacts of digital transformation on modern society and how individuals, global organisations and all in-between need to think about protecting traditional personal identity as well as digital identity data.

As with all regulation and legislative changes, there is an element of interpretation required and it will take some time and maybe even a high-profile court case to really appreciate the boundaries of what it applies to. But the the summary in Peter's blog is a good starting point if you don't know anything about GDPR, or, it acts as a good sense check if you think you know what its about but welcome a simple summary to check and balance your understanding - which it was for me.