Its already law
It Law now, and has been for a year, its just not being enforced untill May 2018, and the Brexit process AKA Article 50 doesnt finish untill May 2019.
GDPR in terms of its rights and responsibilities is not so different to DPA, its just that yo need to prove your compliance with GDPR and that of your subcontractors who can be sued jointly or severably (rather than just you taking the can)
The other changes bring in some interveening regulations like the right to be forgotten and data portability
Even post brexit its likley to be kept as the ICO wrote a lot of it. there may be some issues with enforcement thought as ICO dont really have the staff to handle the mount of work involved. (i've heard from reputable sources they need approx 10x the staff and DCMS wont stump up the cash)
On top of all this, we are still waiting for how the national derogations will pan out, so nothing has really changed since may last year, and a lot of things still need ironed out.
