Upcoming Courses


Upcoming Events



GDPR: Getting Prepared

Comes into force 25th May 2018

What you need to know

On 25th May this year, the most important change to data privacy regulation in 20 years will come into effect. The EU General Data Protection Regulation (GDPR) will replace the previous Data Protection Directive and organisations which do not comply could be susceptible to heavy fines.

The GDPR will impose greater legally binding obligations on organisations. Data Protection training will be mandatory, a Data Protection Officer appointed in most cases, financial penalties increased to €100 million and more comprehensive rights afforded to data subjects.​

Get prepared

Download our GDPR Guide

The IPM have created a guide, exclusively for IPM Members to ensure your organisation is GDPR compliant. In the guide, we provide helpful information, details of the changes to data privacy regulation and steps to help you prepare.

The ICO's recommended steps

The Information Commissioner’s Office (ICO) have provided the following 12 recommended steps to becoming GDPR compliant. For more information, visit the ICO website​.

  1. Awareness
    Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR.
  2. Information you hold
    Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas.
  3. Communicating privacy information
    Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals’ rights
    Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Subject access requests
    Update your procedures and plan how you will handle requests to take account of the new rules.
  6. Lawful basis for processing personal data 
    Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  7. Consent
    Review how you seek, record and manage consent from individuals and whether you need to make any changes. Refresh existing consents now if they don’t, or may not, meet the GDPR standard.
  8. Children
    Start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
  9. Data breaches
    Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  10. Data Protection by Design and Data Protection Impact Assessments
    It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
  11. Data Protection Officers
    Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
  12. International
    If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.