The GDPR will significantly expand the scope and reach of data protection going forward. This means that most companies cannot rely on their Legal and Security officers to champion DPA compliance and safeguard personal data processed by the company (and 3rd parties). Going forward, companies need to embrace data protection as a core competence as the reputational risks and regulatory fines can put you out of business.
GDPR introduces an Accountability Principle that makes the data controller (your company) responsible for demonstrating compliance and for notifying the authorities of any breeches. This means that data protection changes from a reactive tick-box approach to a proactive business-critical approach.
We received a range of different responses and concluded that it is very difficult to correctly identify when data is personal. The reason for this difficulty is that under GDPR, the correct interpretation depends on the specific context for the data. Most employees would want to be told in clear and simple terms what data falls within GDPR, but that will not be possible. Instead, we suggest that you treat all data with the same protection as personal data and make exceptions for data that is confirmed as non-personal. Note that non-personal data can become personal data if the context changes or new data is added to existing data.