You’d want your own data to be handled with care by other companies, so we need to make sure we’re handling our colleagues’, customers’ members’ and suppliers’ data in the same way. This isn’t just to prevent leaks or misuse, but also so that we know where it is and can easily get it if an individual asks for it.
As we said in our earlier story about your information and your rights with GDPR (the General Data Protection Regulation that comes into effect on 25 May this year), anyone is able to ask any company to confirm what information they have about them. But to be able to do that, we need to handle the data correctly in the first place.
Some things we can all think about to help:
Know where it is – making sure all the information we have is held securely and findable will mean that we can get it all together if asked for it.
Always think about privacy – where we do need to share information (internally or externally) to get the job done, we must only share what is needed. Instead of sharing a whole spreadsheet, we should only send over the relevant bits – anonymised where possible.
Keep it accurate – we must collect data accurately, and then make sure we keep it up to date.
Only keep for as long as you need it – with massive amounts of data collected every day, the simple rule is to only keep it for as long as you need it for – not ‘just in case’. This’ll make it easier to find information if asked for it by individuals, and also cuts down on the storage we need.
High risk? Think harder! – we need to have a ‘Data Protection Impact Assessment’ for activities that may be high risk, such as:
- where new technology is involved which people might feel intrudes on their privacy
- where we capture ‘special category’ information (see below)
- where information will be used to make decisions about people which will have an impact on them.
Doing this will help us reduce, or get rid of, the risks.
Handling personal ‘special category’ information
This is information such as health, ethnicity, sexual orientation, religion, and political beliefs. We have to treat this information even more carefully and not associate it with other personal information that could cause prejudice in any way.
Keep informed about GDPR
We’re working across Co-op to make sure you have clear processes and procedures in place to help you to look after personal information. In the meantime, if you have any questions, please don’t hesitate to get in touch with the Data Protection Team or the Data Governance Team.
You can also find more information about GDPR on the intranet (we’ll be making this content available on our colleague site shortly – in the meantime, if you don’t have intranet access and want to read this, then please ask your manager: search ‘GDPR’ on the intranet to find it).
Keep a look out for more stories about different parts of GDPR here.