The implementation of the General Data Protection Regulation on 25 May 2018 represents the biggest change in privacy legislation in a generation. By bringing the balance of power back to the individual, the legislation marks a paradigm shift in the way that organisations must process and protect customer information. Although ostensibly an EU directive, the borderless nature of global commerce means that the GDPR will act as a catalyst for global change in how we manage the rights of the individual. The penalties for infringement are severe, and the buck stops with the board.