How to prepare for GDPR 2018

By Sandra Madigan, Law Content Manager HR, CIPD

As you work through your organisation assessments in readiness for the General Data Protection Regulation (GDPR), take stock and consider the Data Protection Bill, which came out this month . The Bill aims to uphold cyber security and privacy of information, and introduces new offences such as altering, destroying or concealing information requested by an individual under a subject access request (SAR). SARs are one of the processes that you need to audit in preparation for the GDPR which comes into force on May 25, 2018, and the Bill highlights further the need to review and update your policies, procedures and processes in line with the GDPR.

If you haven’t already completed your organisation audit and started prepping for GDPR based on your results, now is the time to start doing so.

Have you, for example:

• Identified potential compliance problems and recorded these on the organisation’s risk register?
• Chosen and communicated on who will be your Data Protection lead?
• Reviewed how you seek, record and manage consent?
• Considered whether you will need to conduct Data Protection Impact Assessments?
• Reviewed how you will assess and act on any breaches?

If you haven’t already started working on these action points, or you are not sure how to, book your place on CIPD Law on Tour , which is coming to a place near you in October 2017. We will be discussing the GDPR and many other topics.

Looking forward to seeing you there.

Thank you for your comments. There may be a short delay in this going live on the blog page as we moderate the comments added to our blogs.


  • Thanks for the timely reminder Sandra. Also important for organizations to consider is how they are managing the recording and storage of the data. Remember, as an employer, you are liable for all data held in the organization – including on individual PCs, notebooks, anywhere. And you are also liable for all data provided to or held on your behalf by your suppliers.

    And if a data breach occurs, you need to be able to show how you have reviewed and responded to all personal data treatments (including storage) within 72 hours, making a central repository and data management system an essential tool.

    Susanna, Quidgest: GDPR solutions