Vicky McGhee

Today’s Data Protection Day, and it’s quite a big milestone for me. As well as being a time to reflect on our progress since the General Data Protection Regulation (GDPR) came in last year, it’s also the same day as my 21 year Co-op anniversary.

Since I started at Co-op I’ve had various data related roles – data governance, data quality and information security, and for the last 11 years I’ve been in data protection at Co-op Risk.

I’ve been in my role of Data Protection Officer since June and I’m absolutely loving it. It’s challenging, because it’s a role which is brand new to the industry (introduced as part of GDPR) so it still needs shaping, but it’s something I can really get my teeth into. I’ve just finished building my team, we’re small but we have a great mix of experience – some of us have previously worked for the Information Commissioner’s Office, local councils or the NHS, and we also have home-grown Co-op talent too. I’d like to say a big thank you to them all for working really hard to adjust to their new roles and hit the ground running.

We’re obviously really passionate about making sure the personal information of our customers, members and colleagues is treated with care and respect. Not just because we legally have to, but because it’s the Co-op way – we want to be responsible, ethical and caring.

My team is responsible for: supporting colleagues who collect personal information to be really clear about what it will be used for, helping them respond to requests from individuals asking for copies of their information, or asking for their information to be erased or changed, making sure that any data breaches and complaints are investigated and managed effectively, and doing a ‘Data Protection Impact Assessment’ for any high-risk initiatives.

People often ask why I love Data Protection so much. Even now there’s always something new to learn and every day is different. It’s hard to have a to-do list as you never get to the end of it. Some of it is so reactive – if you have a data breach everything else goes out the window and it’s all hands on deck for as long as it takes. There have also been a lot of exciting changes at Co-op, and developments like our new membership offering, new products and businesses all have potential data implications. I love to see where we can add value, and the earlier teams engage with us, the more we’re able to help them do the right thing in a way benefits us commercially, and meets the needs of our audience.

Colleagues across the Co-op did a huge amount last year to get ready for GDPR, really working together to spot the things we needed to do better and fixing them. There was a lot to do in a very short space of time, and I want to take this opportunity to thank everyone involved. This gave us really great foundations to build on, but we can’t take our foot off the gas – there’s still a lot to do. Key focus areas for this coming year will include ongoing communications and training, and making sure that all our key policies and processes are in place and tested to make sure they’re effective.

If I was to give colleagues any advice this Data Protection Day it would be this:

  1. Take a moment to refresh your knowledge of data protection and the tips and hints we shared last year about your rightsbeing fairhandling information with care and securing information
  2. If you’re planning any changes that involve personal information – or even if you’re not completely sure if it does –  come and talk to us early or speak to your Data Lead as we can advise you
  3. Whether in work or at home – if something doesn’t feel right, or you feel that people are asking for too much information – question whether they really need it

Happy Data Protection Day,

Vicky McGhee
Data Protection Officer

Join the conversation! 15 Comments

  1. Thanks for all the positive and supportive messages received. It’s great to hear that so many of you enjoyed the atrium event and are keeping data protection at the forefront of how you manage personal data in your teams. Let’s keep up all the good work.

  2. Thanks and great update Vicky. Keep up the good work.

  3. Congratulations Vicky! I had no idea you’d been at the Co-op so long. You have a great team around you which have helped me across numerous pieces of work of the last year.

  4. Yes, the case of individual passwords is different, as opposed to shared system passwords that were described above, which is where user turnover comes into play.

  5. Great to see the DP team pushing on after the GDPR programme completed and the Atrium event was very enjoyable!

    All projects and programmes involving data should contact Vicky in the early stages of their journey and then one of her team can support them in completing the initial screening questionnaire and then if necessary the full Data Protection Impact Assessment to make sure colleague, member and customer data is dealt with in the right way.

    • Hi Mark, thanks for your comment and for joining us at our Atrium event. Yes, with so much talk about GDPR last year, it could be easy for people to think that the hard work’s all done, and that we can sit back and relax! In reality, we need to build on the great foundations laid last year to continually test and improve our processes and systems, and making sure colleagues have the right guidance and training in place.

      And thanks for the shout-out to our ‘Data Protection Impact Assessment’ (DPIA) process – it’s a great way to make sure that risks are spotted (and solutions identified) at an early stage when colleagues are planning to change what we’re doing with personal information. Colleagues can contact the team for advice on this via our data protection mailbox.

  6. PLEASE can we stop having to change passwords on any of the Co-op store systems? A strong password forever is more secure than a simple password that keeps getting advanced one number.

    Kronos, email, YSYS, all examples of this. Our store’s kronos password could be guessed by a child. It has to be simple so we can keep advancing it one digit every 6 months. My email password started out with my daughter’s birthday in it, but now she won’t be born until 2026. Our YSYS password now has 4 !’s in it. I’m not sure how many more !’s we can take!

    • Hi Steve,
      I feel your pain, but unfortunately there’s no good argument against regular password changes. Even if a system had no user turnover, the possibility of a password “leaking” invariably increases with time. However as you point out, merely adding a number doesn’t constitute a password change, and many systems do not allow this.

      • “Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in 60 days as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason.”

        • agreed. stop expiring passwords!

          let people login with a password and on new devices/periodically make them use a token on an app on their phone to login again.

          look at how google do it. 1 set password. with 2FA using AI to decide when it’s needed.

    • Hi Steve, thanks for commenting! I’ve linked in with the Information Security team to discuss this. We completely sympathise with you – it’s tough keeping track of lots of passwords, and often results in people either choosing very simple ones or writing them down. And we agree, a strong password that people don’t have to change so often is likely to be more secure.

      This is something that we’re aware of in Co-op, and we’re working towards something which will help. There’s a project working to pull together the applications that an individual colleague has access to into one place, and we’re working towards alternatives to shared logins for store systems as well.

      • For me the point is more that there are lots of complicated passwords required with different sets of rules and I cant remember them so have to write them down or I wouldn’t be able to do my job.

        However by writing them down I’m in breach of the Co-op’s IT security and data policies and can be disciplined. Its simply not fair to me or other colleagues. And the project to fix it has been a thing for so long now that its really about time it delivered some change.

        • Hi Alex – we agree, at the moment, it can be very difficult for colleagues needing access to many different systems with system-enforced password requirements. If you contact us at we can look at ways of making it easier for you in the meantime – setting you up with a password manager may be an interim solution.

          • can we have mobile phone 2FA setup with an app – and then static passwords.

            use AI to trigger the 2FA like google, microsoft, etc. do

            • Hi Simon – we use a lot of systems here in the Co-op, so the implementation of what you’re describing is a very complicated task and one that has to be designed, rolled out and managed very carefully. As mentioned in previous comments, there is a solution that is being phased in at the moment which addresses many of the frustrations colleagues face in relation to passwords – we can’t discuss our security solutions on here in detail but if you contact me directly (Christina Shannon) or the askinformationsecurity mailbox, we can give you some more info on what’s happening.

Comments are closed.


GDPR, The Co-op Way


, ,