However, organisations could be forgiven for being unprepared for the changes.
The current UK Data Protection Act (DPA) was ratified in 1998, just as the public internet has was taking off. Its replacement, the EU General Data Protection Regulation (GDPR), is expected to emerge from years of protracted negotiations onto the statute books at the end of 2015 or early in 2016.
It is widely agreed that the current rules are in urgent need of a refresh, given the huge changes that have taken place since 1998, with mobility, home-working and e-commerce all having taken off since that time and with a hyper-connected Internet of Things (IoT) world of driverless cars and smart homes just around the corner.
However, organisations could be forgiven for being unprepared for the changes. The legislation has changed markedly as it has bounced between the European Council, Commission and Parliament, but news of these changes emerges more often through leaks than via a formal announcement.
That said, there are some changes that are likely to emerge relatively unscathed. One is the requirement of companies that control and process personal data to appoint a Data Protection Officer (DPO) if they employ 250 people or more, or if processing such data is their core business.