The EU General Data Protection Regulation (GDPR) is a piece of EU law that came into force on the 25th May, 2018. It is a Regulation, not a Directive which means it has a direct effect on national legislation in each member state. Brexit will not impact its applicability in the UK, the government has made clear that the GDPR shall remain applicable to its full extent.
What is important to remember, is that the GDPR is not a black and white check list of obligations. It is a "risk-based "regulation. This means that it sets out the wider principles that it expects you to follow and then places legal accountabilityon you to make sure you understand what you need to do and that you are regularly assessing the risks associated with your activities to the ‘rights and freedoms’ of the people whose data they hold.
What is more, the GDPR is about evidencing your thought process when you were assessing those risks.
“If we come knocking on the door, if we investigate or conduct an audit in an organisation, the best way you can demonstrate to us that we won’t need to dive deeper and you’ve got covered all the compliance issues is to have a comprehensive accountability programme ”
— STEVE WOOD Deputy Information Commissioner March 2017