With just under a year until the General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998, employers should consider the necessary steps to ensure compliance. The GDPR makes it clear that consent must be freely given if there is no genuine free choice. In addition, a data subject has the right not to be subject to a decision made solely by automated processing if that decision affects them. To ready themselves, employees should perform an audit on the personal data held by the company and compile a data processing register. They should consider the issue of where consent is avoidable and appropriate and review and amend existing Data Protection Policies.