In the engine room of any company, new regulation tends to be experienced as a burden, not an opportunity. But the new EU data protection laws which take effect in May offer Boards the chance to bring about a fundamental shift in corporate attitudes to the use of data and to cyber security. The leadership of companies can use GDPR to understand their own business better, to the benefit of their own digitization projects, as well as their security and reputation. Nor is this shift stopping at the borders of Europe; it will have a significant impact on any company doing business in or with the EU, and affect much of its supply chain.