word clarity in focus in a dictionary

When we ask for personal information, we have to make sure it’s clear why we’re asking for it, and what we’re going to use it for – and then actually only use it for that reason. This is another of the areas that the new GDPR (General Data Protection Regulation – coming into force from 25 May) focuses on.

We’re updating our privacy statement about what we do with personal information to make sure it’s very clear about what information we collect, what we do with it, who we share it with and how long we’ll keep it for.

And this applies to any form of information we’re collecting, whether that’s through a website, a paper form, a telephone recording, CCTV, social media or any other way we may capture it.

Keeping it legal

Obviously we need to collect personal information – for colleagues working here and customers and members shopping with us and using our services. And there are bits of GDPR which allow us to do this where it’s needed for certain things. But when we do, we must remain legal and make sure that we’re not forcing their consent or tricking them into allowing us to use their information in an unfair way.

For example, if we were to say that you can only enter a competition if you consent to receiving weekly marketing emails; that would be wrong. The individual has to have the right to enter the competition and only have their personal information used for that purpose.

Picture of a clear simple consent note on Co-op websiteClear consent

We must never use those confusing ‘untick this box if you do not want to not be contacted in the future’ type messages when we collect personal info. Instead we are being very clear about how people opt in, should they wish to, to further marketing and contact that may be useful for them (as shown on the right).

Along with the use of consent from individuals allowing us to use their information, we can also rely on other areas to process personal information. For instance we can use personal information for the performance of a contract (like your employment contract) or for legal or compliance reasons (like reporting accidents).

Do you handle or hold any personal information?

You wouldn’t want your personal information used in the wrong way, so we need to make sure that we’re being trusted with our colleagues’, customers’ and members’ information too.

When you’re collecting information from people, do you know whether you’re allowed to and are you being really clear with people about what you’re using it for?

We’re working with representatives from across Co-op to make sure you have clear processes and procedures in place to help you to look after personal information.  In the meantime, if you have any questions, please don’t hesitate to get in touch with the Data Protection Team at dataprotection@coop.co.uk

You can also find more information about GDPR on the intranet (we’ll be making this content available on our colleague site shortly – in the meantime, if you don’t have intranet access and want to read this, then please ask your manager: search ‘GDPR’ on the intranet to find it).

Over the coming weeks, we’re also going to publish more stories about different parts of GDPR here.

Join the conversation! 7 Comments

  1. From a complaints perspective and retaining records. Although it inst a regulatory requirement to retain telephone calls its good business practice, with helping the business learn. In terms of complaints, occasionally the calls made are a critical part of the decision making and we are required to retain complaint records for 3 years from a regulatory requirement. ( I think for legal requirements its 6 )So we may be removing calls we think we no longer require too early. If a customer makes an allegation about the Co-op, in order to address this it may be appropriate to retain the call to establish the facts, rather than make assumptions, as with any large organisation, mistakes are made and we may not understand what the mistake was, if any.

    • Thank you for taking the time to comment.
      We have an obligation under the current Data Protection Act and the new GDPR to keep personal information for no longer than needed. In the scenario you describe, it would appear there is a justified business reason for keeping the calls for training purposes but there may also be a legal obligation to keep for longer in case of claim against the Co-op. In both of these scenarios you would need to weigh up how long it’s necessary to keep the records for training and then any additional time needed to meet other legal or business needs. For all records (not just voice recordings) careful consideration is needed to ensure we keep records for long enough, for example to defend against a claim, but ensure we don’t bundle the information and keep it all ‘just in case’. If you’re concerned information could accidentally be deleted too soon, you could look to set a review date on certain types of information prior to an auto-delete. That way you could check if the information needs to be kept for longer due to an ongoing or potential claim or if it can be deleted.
      James Cullen
      Data Protection

  2. For GDPR to be successful in any business the policies need to be consistent, centralised and clear across all business areas. We can’t have a pick and mix of “well we want to do it out own way”!

    Multiple business areas having differing and multiple policies on what should and shouldn’t be done confuses the colleague. They don’t know what they should and shouldn’t be doing so we open the organisation up to criticism and possible fines from the regulator.

    Colleagues don’t know who to go to for what information. When they have a full time day job sadly these things get pushed to the side of the desk. If I type in GDPR in the search engine of the intranet I don’t get anything helpful…

    We strive to be One Coop, that is our direction and chosen path. This is not going to happen with words and speeches. Documented processes need to change….and be documented.

    My 2 pence worth anyhow…

    • Thanks for the comments. With regards to the policies. The Enterprise Risk Management Framework are in the process of ensuring consistency with policies and standards. Data Protection is just one of the risk categories. Through reviewing and revising the policies and standards and putting into new standard formats (the revised Data Protection ones that can be found here) you’ll start to see more consistency coming through as the different risk categories revise their documents
      With regards to the individual business policies – there will be one set of Co-op policies but individual areas may have their own local processes and procedures that set out what you need to do to comply with these overarching policies.
      You make a good point with regards to where to go for information and that is why we are in the process of updating all our Data Protection and GDPR pages along with issues comms like this one so colleagues know more about what is going on and where to go for information. Keep an eye out for the next GDPR comms coming soon.
      If you would like further information please contact the Data Protection Team and we will be happy to assist in any other queries.
      Many Thanks
      James Cullen
      Data Protection

  3. Hi,

    Great to hear that we are taking customers information seriously and avoiding those ridiculous “untick if you do not want” boxes.

    Out of curiosity, when it comes to keeping information as long as it’s needed, how would this work in regards to call cenre colleagues? As we need to record calls in case further down the line we need to trace a problem. But then if we need to only keep it as long as need it and the customer doesn’t take out for example an insurance policy. Would we then be required to delete the phone call from our records with their details stored? If so how would these calls be selected and deleted out of the thousands we receive?


    • Hi Mike,

      You hit the nail on the head – we only need to keep information for as long as is needed. This is set out in the Co-op retention schedule and local retention schedules.
      So if the information is no longer needed then we should be deleting the record in line with our retention requirements.
      The identification and deletion of these records will be supported within a local process that will be implemented as part of the on going GDPR programme work.
      Hope this answers your queries. If you have any further please contact the Data Protection Team
      James Cullen, Data Protection Team

Comments are closed.