Yes, it’s complicated but much relates to the cultural set-up of a firm, that can be translated into the principles of good governance. Before starting on your road to GDPR compliance it is important to remember that the whole cross section of staff within your firm, needs to be both informed and involved if you are to avoid the numerous tripwires contained in the Regulation.
This means that there must be universal awareness of obligations under the regulation. It is not just about IT. Your everyday systems and processes must be made robustly and demonstrably viable.