The information world has changed because of the General Data Protection Regulation; it is applicable to the UK until the 31st December 2020, after this date it is likely to be replaced by the UK GDPR as it is currently a piece of European Legislation. It still applies after BREXIT because of the Withdrawal Agreement Bill signed by the Prime Minister and His European counterparts. There is little doubt that this regulation has transformed the Data Protection sector because of it's focus on protecting people, it is no doubt a good piece of legislation because it makes us focus on security, as well as other well applauded elements that are found in the principles of data protection at Article 5. It would be wise to understand that you cannot do as you wish with the data in your organisation's possession, guard it as if it were your own.
With regards to data protection, there's something brief that you need to understand, the GDPR asks us to focus on consent to process, in other words you need to have a reason 'in law' to be able to process or store data. You also need to use the data only for it's intended purposes or the purposes in which it was given and ultimately you need to delete data should you no longer need it. To put it bluntly, should you no longer have a legal basis to keep data, the delete function is to be explored further - and this is the part of the GDPR that terrifies companies. No one likes to delete data. Why is that? Because information is money, information is power and information loss is troubling to some.
The GDPR punishes, as much as it protects. The chances are that someone, somewhere is looking to use your data in a malicious manner and the GDPR is there to protect us from data theft. What we all have to remember is that this law is here to stay and it is best if you understand this principle: Worry not about data protection laws, worry instead about the information that you receive, process and store - because ultimately it's what you do with data is what's important. You don't need to know about the GDPR in infinite detail, but you do need to understand that you need a system of mitigation in place, to protect your business should you be on the wrong side of a reported data breach.