graphic symbolising people data being connected and shared

Millions of people trust us with their personal information. In turn, we need to make sure that our third party suppliers, who process/use this information to provide services to us, keep it secure and handle it properly, too. It’s our responsibility to check this under GDPR (the General Data Protection Regulation that comes into effect from 25 May 2018).

This is one reason we have our Buying Goods and Services Policy [intranet link*] – if you follow this whenever you deal with external suppliers, then you’ll be doing the right thing. This is about carrying out our due diligence, and involving the likes of Legal, Procurement, Data Protection and Information Security teams before we agree anything with suppliers, to make sure we do the right thing by those people we hold information about, and stay on the right side of the law.

To bring this to life, take the example of our Membership cards. We collect a new member’s personal information: making sure we collect, store and use this in the right way. But we don’t print and send out the cards ourselves, we use a third party supplier to do this for us. So we need to have an agreement in place to cover what information they need to that job (they may not need everything we’ve collected); how they’ll use it only for the purposes we’re asking them to do (e.g. printing and sending out the card), and that they need to keep it securely and destroy it [the personal information] when the task has been carried out.

The GDPR uses the terms ‘Data Controller’ and ‘Data Processor’ to describe all this, but as long as you’re making sure that personal data is treated correctly by us or by anyone acting on our behalf – whether that’s for a single person’s data or all our millions of members’ data – then you’ll be doing the right thing.

More information

There’s now a new page on our colleague site ( that gives you access to all the information you need to know about for GDPR – including all the stories we’ve been publishing here.

[*To access the intranet, you must be logged into the Co-op network – ask your manager if you need access]