Your co-op’s guide to data protection compliance

Jump to table of contents
Your co-op's guide to data protection compliance

This guidance is an overview of the key elements of the UK’s current data protection regime. The framework of data privacy for UK businesses is largely the same as when the EU’s General Data Protection Regulation came into force in 2018.

In the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

UK GDPR sets out the key principles, rights and obligations that govern how enterprises in the UK use, store and protect people’s data following the UK’s departure from the EU (and the requirement to comply with EU GDPR). 

The Privacy and Electronic Communications Regulations (PECR) also impact how organisations use personal data; specifically how privacy is maintained when marketing via electronic communications or when using cookies and online activity tracking. 

In the UK, data protection is regulated by the Information Commissioner’s Office (ICO). The ICO website is a great resource for guidance on detailed requirements and good practice for organisations seeking support in complying with the data protection regime. The ICO also handles complaints, monitors compliance and they take enforcement action against organisations failing to comply with the law.

Fundamentally, data protection law aims to protect the privacy of living individuals by restricting what businesses and not-for-profit entities can do with the data they have access to. Personal data is a huge asset for an organisation but if it is misused it may breach individual’s privacy rights.

Data protection requirements use some specific terminology: 

  • Data Subject: a living person who can be identified using the personal data
  • Personal Data: any information identifying a data subject directly or indirectly through collation with other accessible information. Personal data can be factual (for example, a name, email address, image, location or date of birth) or an opinion about that person's actions or behaviour.
  • Data Processing: any activity that involves the use of personal data. It includes obtaining, recording or holding the data and carrying out any operation on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to others.
  • Data Controller: the person or organisation that determines when, why and how to process personal data and is responsible for ensuring appropriate policies and procedures are in place. 

The UK GDPR applies to data processing by organisations operating within the UK. It also applies to organisations outside the UK that offer goods or services to individuals in the UK. Data protection law exists alongside other legal obligations for organisations and where personal data is required to meet those, the normal data protection rules would not apply.

All organisations are legally required to keep a register of members; this will almost always involve the collection and storage of personal data (eg member name, contact details and shareholding). It is essential that you can use this personal data to comply with your governing document (eg issue notice of an AGM or membership fee invoices). A member cannot opt out of receiving communications which enable you to administer their membership and comply with your governing document. Marketing preferences should be actioned separately from essential member communications.

Your co-op may be required to pay a data protection fee to the ICO; there are three different tiers of fee between £52 and £3,763 a year. The tier you fall into depends on the size of your staff team, turnover and charitable status and there are a few exemptions which remove the need to pay the fee.

Failure to comply with the requirements of data protection law leaves your organisation open to investigation by the ICO and ultimately to substantial fines. However, the ICO tends to reserve its powers to cases involving reckless or deliberate harm rather than penalising those making genuine mistakes or organisations acting in good faith that can demonstrate their attempts to comply with data protection requirements. The ICO has a clear focus on balancing the rights people should have over the use of their data and the need for businesses to use data to function effectively and offer products and services without being bogged down in red tape and administration.

If your co-op needs support to make sure it’s compliant with data protection requirements or you have any data protection questions please get in touch with our team on [email protected]