The new Data Protection Regulation, which will replace the 1995 Data Protection Directive, has now been agreed. It will have a major impact on businesses in all sectors. It strengthens protections for, and rights of, individuals (including employees and consumer customers), with tough extended rules about informing individuals about processing and obtaining consent, as well as imposing some new obligations and beefing up others. It gives regulators the power to fine up to €20 million, or 4% of global turnover. The many changes include mandatory notification of data breaches and the requirement to design processes and systems to meet privacy requirements. The regulation will come into force during mid-2018, but preparations should ideally begin now. As a starting point it is useful to perform data audits, in order to get a clear picture of what personal data is being processed in the business and to assess the nature and scope of the compliance that will be required, once the new law comes into force.