As has been widely predicted it would appear that the UK will indeed adopt GDPR. The reality is that there would have been no escaping it even post BREXIT, on the premise that it is relevant to data pertaining to any EU citizen. So the chances of being able to remain out of scope would have been fairly marginal for most businesses these days. 

So with the UK Government's 'National Cyber Security Strategy' published yesterday, it looks like 2017 is going to be the year when we can all knuckle down with a degree of clarity as to where we might be going. 

That said, the key will be prioritisation and for many establishing the gap between where they are and where they need to be come May 2018. 

Thinking back to the early days of PCI DSS, it was all about under taking 'gap analysis' exercises to establish what was missing. Then it was reducing scope, effectively getting rid of what was not required and then corralling what was, into much more manageable areas that could be secured and validated as compliant with the standard. 

With GDPR, it will be a chance for business to undergo what might well be a long overdue cyber security 'health check'. As I have said a lot recently, as a society we are broadly 'consciously, incompetent' in so much as their is heightened awareness of the cyber risks that exist, but still largely 'out of our depth', when it comes to protecting ourselves adequately.  This 'consciousness' will hopefully garner enough interest to ensure that GDPR and its implications are taken seriously.  

And as with any 'health check', it needs to be a case of professional diagnosis before one starts taking the prescribed medicine!