Sign in to MyHR


Last reviewed on 25 May 2018

All you need to know about how to deal with personal information

GDPR (the General Data Protection Regulation) is the data protection law that starts from 25 May 2018. This is all about personal information and how organisations get it, store it, keep it accurate, use it, share it, dispose of it and allow individuals access to it. In a nutshell, it’s about handling personal data in a way that’s clear, trustworthy and responsible. And if we get it wrong, the regulator can impose fines of up to 4% of worldwide turnover – that’s nearly £400m for Co-op.

Transcript: GDPR summary animation

Protecting information is very important at the Co-op… The General Data Protection Regulation means you need to deal with data compliantly……

Actually, do you know what? This is bigger than rules and regulations. I mean, it’s true – the law does say we must protect personal information. But more than that - it’s about the kind of people we are. People trust our Co-op. Well, let’s be honest – they trust you. The person they speak to on the phone, chat to in store or give their information to. Come a little closer: You see, we’ve got whole teams who specialise in protecting and managing information. But actually, this is all about you. Your rights - and your actions. I mean you Jean in Brighton. And you Salim in Newcastle. And you Jon in Cardiff. Everyone! Our Co-op is known for doing the right thing. And that includes being careful with people’s information. Information or data means anything from email addresses and card details, to Facebook posts and even CCTV footage. Our world is full of information, so we need rules about how it’s looked after. At our Co-op, when we collect information from people, we promise we’ll keep that information safe. And we keep our promises! But we need your help. If the Co-op doesn’t look after information properly, there can be really serious consequences. Big fines, but more than that – people will stop trusting us. That means they might not want to shop with us or work for us. These days we all have the right to know how our own information is being used. To know that it’s only being used by the right people for the right reason. When you give someone your own personal information, you expect them to use it with care. So, if you come across information at work, then you need to use that with care too. It’s part of looking after each other. We all need to make sure information is properly handled – that means keeping it safe, treating it with respect and telling the right people if you think something’s gone wrong. We want our Co-op to be known as an organisation that can be trusted with people’s information. Looking after our own and each other’s information will make us a stronger Co-op and a stronger community. Protecting information. It’s all about you.

GDPR applies to everybody's personal information.

It applies to data in any form: Personal information means:
Electronic (eg, emails, databases, contact lists) Obvious things (eg, names, addresses, ages, bank details)
Physical (eg, paper reports, forms, Less obvious things (eg, online identities, photographs, location data)
Any other methods of capture (eg, CCTV recordings) Sensitive things (eg, health data, religion, sexual orientation, political ideals)

Here’s a summary of what GDPR is about which you can print if you need to – plus you might like to use this ‘what GDPR is all about’ summary sheet if you wish to brief others.

We’ve also produced some GDPR posters and postcards that you might like to use with your teams.

More information about GDPR

Your rights as an individual with GDPR - GDPR brings new and expanded rights for everyone around their information.

Securing our information - Knowing our policies and standards around handling data will keep us legal.

It’s about being fair - We need to be clear about what we’re asking for, why we’re asking for it and what we’re using it for.

Data: handle with care - We’ve committed to being trusted with data, so we must handle it with care.

Find out who your data lead is on the intranet.

Key GDPR policies

These are only currently available on the intranet:

Data Protection Policy - This policy tells you about your responsibilities in dealing with personal information, what laws apply to this, and what other policies or controls you might need to refer to.

Information Classification and Handling Policy - This policy tells you about your responsibilities for keeping customer, member, and fellow colleagues’ personal information safely and how to do this.

Retention Policy - This policy tells you about your responsibilities for making sure personal information is held for the right amount of time and that it’s not kept for too long or not long enough.

Disposal and Destruction Policy - This policy tells you about your responsibilities for making sure personal information is destroyed securely.

Supplier Security Policy - When suppliers handle Co-op information, it is important to ensure that they provide adequate security.

If you need further support

If you still have queries that the above information or your Data Lead can’t answer – or if you have any feedback on this content or suggestions for what other information you’d like to see here – then please contact us: