Find out more about Data Protection and what it means for you...
In May 2018, new EU data protection legislation was introduced for all member states (the General Data Protection Regulation, or GDPR). The Data Protection Act 2018 (DPA) sets out the framework for data protection law in the UK. The DPA updates and replaces the former Data Protection Act 1998 and it sits alongside the GDPR, tailoring how the GDPR applies in the UK. Data protection legislation regulates the processing of people’s personal data, which means the way personal data is collected, used, shared, stored and disposed of by public and private organisations.
There isn’t a business group within the Society that doesn’t process people’s personal data, with different purposes and in different measure, so we are all accountable for looking after this data.
Over the years, the Society has processed an incrementally larger amount of personal data, either for members, customers, colleagues, contractors and agency workers, third party business partners etc. We also use electronic communication channels a lot more, such as emails and social media, potentially exposing people’s personal data to increased risks – so we have to make sure we safeguard adequately the personal data our customers, members and colleagues have entrusted to us.
The Information Commissioner's Office (ICO) is the supervisory authority for data protection in the UK. They are tasked with protecting people’s individual rights over their personal data, and making sure organisations comply with the law. Failure to comply could lead to serious consequences for the Society – financially, commercially and reputationally – decreased sales, increased complaints, loss of customers confidence and negative press.
For serious breaches, the ICO can impose fines of up to 4% of an organisation global turnover – that’s approximately £60 million for the Society!
What is personal data?
Simply put, anything that identifies a living person – name, surname, postal and email addresses, telephone number, financial information (bank account details, credit and debit card numbers etc.) payroll number, DOB, NI number… but also health and medical information, physical appearance and pictures, religious and political beliefs, or sexual orientation.
Of course, data protection law is not just about other people’s personal data!
The Society also holds information about you, as a colleague, and it must protect and be respectful of it. The Society’s Privacy Notice for Colleagues, Workers and Contractors explains how this is done.
Our Policies, Procedures and Guidance
As any other organisation that processes people’s personal data, the Society has a number of obligations to comply with. It is therefore essential that colleagues are familiar, and comply with, all the relevant policies the Society has put in place to ensure compliance with the law. The Society has also created some useful guidance documents to aid colleagues if they’re unsure what to do in certain situations, click on the links below to find out more...
Informing the Public
What rights do people have over their personal data?
Most rights people have over their personal data already existed before the GDPR and the DPA came into effect but weren’t very well known. The GDPR makes those rights clearer and wider, and also adds some new ones, such as the right to be forgotten, the right to restrict processing of personal data, and the right to data portability.
Colleagues should familiarise themselves with the Society's Colleague Guidance – Individual Rights requests, to ensure they understand these rights and know what to do when they receive an individual rights request from a customer, a member or a colleague.
The most frequent request we receive relates to people wanting to access the personal data we hold about them, and often they want copies of it. This is called a Subject Access Request and, as for any other type of request regarding personal data, the Society has an obligation to complete it within 30 days, and our response must be compliant with the requirements under the law. This means we must be proactive, timely and accurate in our responses.
If you receive any of these requests, make sure you follow the process explained in the Colleague Guidance above.
What to do when things go wrong
The law says we have an obligation, as an organisation, to protect people’s personal data from “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage”.
What does that mean? Well, it means that, should any of the above happen, it would be a personal data breach.
Every time we process people’s personal data, which for many of us is every day, we must be thoughtful of who we share it with, how we store it, how we use and it and how we dispose of it when we no longer need it. We must treat other people’s personal data with the same care we would use for our own, and this applies to all of us, regardless of seniority, job title or business location. So, remember…
Think - Respect - Protect
But sometimes things can go wrong so when they do, we need to act quickly.
If you think you, or a colleague, may have caused a data breach, or you have spotted something which doesn’t look right, you should make sure you act quickly, following the process outlined in the Colleague Guidance – Dealing with data breaches.
Need more help?
If you have any questions about our policies, or a general query about data protection, or perhaps you have read a Colleague Guidance and you still aren’t sure about what to do, you should seek additional information from your Data Protection Champions (DPCs). There are two DPCs in each business group, to find your DPC and get in touch please click here.
Alternatively, you can also contact the Society's Data Protection Officer (DPO) directly, either by email or post: email@example.com; Secretariat Group, Co-operative House, Warwick Technology Park, Warwick, CV34 6DA.