The Co-operative Food
The Co-operative Travel
The Co-operative Childcare
The Co-operative Flexible Benefits
Co-op Energy
Post Office
YourCoop Phone
YourCoop Broadband

Data Protection

Find out more about Data Protection and what it means for you...

Some information on this page is private. Sign in to view:

  • Contact list for your Data Protection Champions

Sign in  



Data Protection

Data Protection is about ensuring people can trust you to use their data fairly and responsibly. If you collect information about individuals for any reason you need to comply.

UK General Data Protection Regulation (UK GDPR) is the UK’s implementation of the EU GDPR and is tailored by the Data Protection Act 2018 (DPA). It controls how your personal information is used by organisations, businesses, or the government

The Information Commissioner’s Office (‘ICO’) is the supervisory authority and regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance, and take enforcement action where appropriate. Failure to comply with the law could lead to serious consequences for the Society. For serious breaches, the ICO can impose fines of up to 4% of an organisation global turnover – that’s approximately £35 million for the Society!


What is personal data?

Personal data is information which identifies a living individual such as: full name, home address, email addresses, telephone number, financial information (eg bank account details) payroll number, DOB, NI number.

The DPA differentiates between personal data and special category data which is of a more sensitive nature and must be treated with greater care than other types of personal data. Special category data includes racial or ethnic origin, religious beliefs, health information etc. Further details can be found in our Data Protection Policy.

Of course, data protection law is not just about other people’s personal data!

The Society also holds information about you, as a colleague, and it must protect and be respectful of it. The Society’s Privacy Notice for Colleagues, Workers and Contractors explains how this is done.


How does this relate to you?

Within the Society, every business group processes personal data. We typically deal with personal data about our colleagues, members, customers, and suppliers. This makes us all accountable for looking after this data.


Our Policies, Procedures and Guidance

The Society has a number of relevant policies/procedures to ensure we are compliant with the law. We also have some useful guidance documents to aid colleagues if you’re unsure what to do in certain situations, click on the links below to find out more...



Data Protection Policy

Short Guide for Colleagues

Data Retention & Disposal Policy

Colleague Guidance – Dealing with Data Breaches

Information Security Policy

Data Breaches – Are you Ready

Clean Desk Policy

DBS Checks – quick guidance for colleagues

CCTV Policy and Guidance to Managers

WFH 10 tips on GDPR

CCTV Privacy Notice - Food

Data Protection Do’s and Don’ts

CCTV Privacy Notice Non-Food

Colleague Guidance – Individual Rights requests

Use of Access to CCTV Recordings – Policy

DPC Guidance - Data Protection Documentation Specific for Your Business Area


DPC Guidance - Storage at Northway

We also have a compulsory Data Protection training module which can be found on iLearn here

DPIAs are an important tool for identifying data privacy risks and ensuring they are adequately addressed. This is a key part of the Society's accountability obligations under UK GDPR.

DPIAs help to ensure that colleagues involved in designing projects think about privacy at the early stages and adopt a 'data protection by design' approach.

If you're involved in a new project and are not sure if a DPIA is required, why not take a read of our 'Do I Need to Carry Out a DPIA' guidance. Once you've decided that a DPIA is required, please complete the necessary template and send to the Data Protection team for review. For further details on the approval process, please see the process flowchart.

What to do when things go wrong

Whenever we process personal data, we must think carefully about who we share it with, how we store it, how we use it, and how we dispose of it when we no longer need it.  If we don’t do that a personal data breach may occur.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. As such, a breach is more than just about losing personal data.

If a personal data breach occurs you need to act quickly and complete the necessary reporting form which can be found here. You should send a copy to the Data Protection team at so they can assess the severity of the incident and whether it needs reporting to the ICO. Acting promptly is vital as the Data Protection team has 72 hours from becoming aware of the breach to report to the ICO, where appropriate.


Need more help?

If you have any questions about our policies, or a general query about data protection, or perhaps you have read a Colleague Guidance and you still aren’t sure about what to do, you should seek additional information from your Data Protection Champion (DPC). There are two DPCs in each business group, to find your DPC and get in touch please click on the link below (please note, you must be signed in to Colleagues Connect to see the link below, if you are not signed in, please click here).

Alternatively, you can also contact the Society's Data Protection Officer (DPO) directly, either by email or post:; Secretariat Group, Co-operative House, Warwick Technology Park, Warwick, CV34 6DA.