Data protection law in the UK is undergoing the most significant changes since the Data Protection Act (DPA) in 1998. The new EU General Data Protection Regulation (GDPR) came into effect in May 2016, and you have until 25th May 2018 to become fully compliant. The government has confirmed that the UK’s decision to leave the EU will not affect the enforcement date. The changes will bring with them the need for a named person to be responsible, and to face criminal charges if the company gets it wrong. The new rules come with fines of up to $20m or 4% of a company’s global turnover, and apply to any company which holds data relating to a European citizen. One of the major changes is ensuring privacy by design, companies will need to justify the data that they collect and store. There is a detailed disclosure clause stating that if your company suffers a successful hack, they must inform regulators within 72 hours.