The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It’s imperative that anyone working with or for patients, particularly in digital healthcare, understands what it means to them and their products and services. The current focus of many GDPR-readiness seminars and guidelines is largely on the internal – for example, scoping the role of the Data Protection Officer; defining data controllers versus data processors, and unpicking the various justifications for legal processing of data. All crucial stuff, of course. But through focussing on these internal aspects of implementing GDPR, there’s a danger of missing something crucial….