It's been nearly a year since the General Data Protection Regulation was brought into force in the UK and Europe.
Now's a good time to reflect on the impact it has had. So Co-operatives UK is running GDPR: One year on – a day of training in Birmingham on 15 May.
Enquiries to the Co-operatives UK advice team on GDPR show that there are still a significant number of co-ops continually working towards compliance. Many are proactively looking at how to comply with the principles underpinning the GDPR and, in particular, the principle of accountability.
Co-ops, like other organisations, have had to review their policies, procedures and systems and, where necessary, make changes to ensure that they are working effectively so that they continue to operate within the expectations of the GDPR.
Helping you out of the confusion
Sion Whellens from design agency Calverts, a small worker co-op in London, said that there was lots of “scratching of heads” when considering the impact of GDPR on their co-op. In reviewing its processes, the members found Co-operatives UK’s guide ‘Get your co-op GDPR ready’ helpful in understanding what personal data the co-op held, how it was obtained and how the co-op was processing it.
In the end, Calverts found that they could rely on the legal grounds set out in the regulation for the processing of their customers’ personal data.
Alexandra Borghesi, senior assistant secretary from large consumer co‑op Midcounties Co‑operative, found that the main challenge of complying with GDPR came from the complexity of the society’s business. With a portfolio of 7 different trading areas – including travel, childcare and utilities, the society couldn’t take a “one size fits all” approach to compliance.
A year-long compliance programme began with mapping and cleansing data, followed by tailoring guidance privacy notices to reflect each trading area. Although a large and complex task, Alexandra is confident that this was the right way to deal with compliance – and it has strengthened the society’s overall approach to risk assessment and security in data governance.
GDPR compliance is a marathon, not a sprint
Co-ops that have carried out their initial assessments of how they handle and process personal data should have a plan that regularly monitors compliance, so the co-op’s governing body can assess what is working well and what may need further improvement.
The important point is not to become complacent. Just recently, and post GDPR implementation, we have seen examples of high profile data breaches, including Facebook and British Airways, but we have not yet seen how the ICO may use its regulatory powers to impose penalties for these breaches.
It is true to say that the ICO's “teeth” have been sharpened under the GDPR and it can now impose much higher fines for serious data breaches. As an example, Facebook was previously fined the maximum £500,000 under the old regime. Under the GDPR, the ICO could fine Facebook up to 4% of global turnover, meaning a maximum fine of over £1.5 billion, for its latest breach.
Keep compliant, here's how...
So, what can co-ops continue to do in order to stay on the correct side of the GDPR? Here are some top tips.
- It's not too late to comply. If you haven’t done so already, take a look at our guide and contact us if you need help to bring your co-op up to speed with the GDPR.
- Consider what data your co-op has and where it is stored, what the risk to that data is and what you are doing about the risk. For example, have you got policies in place that set out when data should be destroyed and are you following them?
- Ensure that staff know that compliance with the GDPR is everyone's responsibility and encourage them to take an active role in ensuring compliance.
- Review and strengthen your security processes. For example, when members of staff leave, are there procedures to prevent them from logging on to office systems and gaining access to the co-op’s data?
- Run regular training for staff. Handling data is a skill and regular sessions to update staff should be cyclical. Co-operatives UK is running a session on 15 May to help bring co-ops up to speed with all things GDPR. You can book onto the course via our website.