Find out more about the Data Protection and what it means for you.
Some information on this page is private. Sign in to view:
- Contact details of your Data Protection Champion
- Contact details of the Society's Data Protection Manager
In May 2018, new EU data protection legislation was introduced for all member states (the General Data Protection Regulation, or GDPR), which became law in the UK as the Data Protection Act 2018 (formerly known as the DPA 1998). Data protection legislation regulates the processing of people’s personal data, which means the way organisations collect, use, share, store and dispose of personal data.
There isn’t a business group within the Society that doesn’t process people’s personal data, with different purposes and in different measure, so we are all accountable for looking after this data.
Over the years, the Society has processed an incrementally larger amount of personal data, either for members, customers, colleagues, contractors and agency workers, third party business partners etc. We also use electronic communication channels a lot more, such as emails and social media, potentially exposing people’s personal data to increased risks – so we have to make sure we safeguard adequately the personal data our customers, members and colleagues have entrusted to us.
The Information Commissioner's Office (ICO) is the supervisory authority for data protection in the UK. They are tasked with protecting people’s individual rights over their personal data, and making sure organisations comply with the law. Failure to comply could lead to serious consequences for the Society – financially, commercially and reputationally – decreased sales, increased complaints, loss of customers confidence and negative press.
For serious breaches, the ICO can impose fines of up to 4% of an organisation global turnover – that’s approximately £60 million for the Society!
What is personal data?
Simply put, anything that identifies a living person – name, surname, postal and email addresses, telephone number, financial information (bank account details, credit and debit card numbers etc.) payroll number, DOB, NI number… but also health and medical information, physical appearance and pictures, religious and political beliefs, or sexual orientation.
Of course, data protection law is not just about other people’s personal data!
The Society also holds information about you, as a colleague, and it must protect and be respectful of it. The Society’s Colleagues Privacy Notice explains how this is done – you can see it here: [coming soon]
Our Policies and Procedures
As any other organisation that processes people’s personal data, the Society has a number of obligations to comply with. It is therefore essential that colleagues are familiar, and comply with, all the relevant policies and procedures the Society has put in place to ensure compliance with the law.
Here are the key policies you should know about:
Data Protection Policy [coming soon] CCTV Policy and Guidance to Managers [coming soon]
Clean Desk Policy [coming soon] Acceptable Use of IT Facilities Policy [coming soon]
Data Retention & Disposal Policy [coming soon]
What rights do people have over their personal data?
Most rights people have over their personal data already existed before the new legislation came into effect but weren’t very well known. The GDPR makes those rights clearer and wider, and also adds some new ones, such as the right to be forgotten, the right to restrict processing of personal data, and the right to data portability.
The Society has put in place the Colleague Guidance – Individual Rights requests, which colleagues should read and familiarise themselves with, to ensure they understand these rights and know what to do when they receive an individual rights request from a customer, a member or a colleague. You can access it here: [coming soon].
The most frequent request we receive relates to people wanting to access the personal data we hold about them, and often they want copies of it. This is called a Subject Access Request and, as for any other type of request regarding personal data, the Society has an obligation to complete it within 30 days, and our response must be compliant with the requirements under the law. This means we must be proactive, timely and accurate in our responses.
If you receive any of these requests, make sure you follow the process explained in the Colleague Guidance - Individual Rights requests.
What to do when things go wrong
The law says we have an obligation, as an organisation, to protect people’s personal data from “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage”.
What does that mean? Well, it means that, should any of the above happen, it would be a personal data breach.
Every time we process people’s personal data, which for many of us is every day, we must be thoughtful of who we share it with, how we store it, how we use and it and how we dispose of it when we no longer need it. We must treat other people’s personal data with the same care we would use for our own, and this applies to all of us, regardless of seniority, job title or business location. So, remember…
Think - Respect - Protect
But sometimes things can go wrong so when they do, we need to act quickly.
If you think you, or a colleague, may have caused a data breach, or you have spotted something which doesn’t look right, you should make sure you act quickly, following the process outlined in the Colleague Guidance – how and when to report data breaches. You can access it here: [coming soon].
Need more help?
If you have any questions about our policies, or data protection in general, or perhaps you have read a Colleague Guidance and you still aren’t sure about what to do, you should contact your Data Protection Champions (DPCs) without delay. There are two DPCs in each business group, and you can find the contact list here: [coming soon].
Alternatively, you can contact the Society's Data Protection Officer (DPO): Alexandra Borghesi, Senior Assistant Secretary & Governance Officer - Secretariat Group, either by email: email@example.com; or by telephone: 01926 516 007.