Find out more about the General Data Protection Regulation.  Why it’s needed and what it means to you


Do you know how your personal information is being collected, used, stored and shared by the organisations that you’re giving it to?

With ever-changing and improving technologies, data sharing has become something we do every day, and this means data protection is becoming more and more important. This is why new legislation, known as the General Data Protection Regulation (GDPR), is being enforced on the 25th May.

But what exactly does this mean for you as a customer?

What is GDPR and why is it needed?

GDPR is designed to replace and modernise the current Data Protection Act. This new regulation builds on principles already in place and specifically aims to give individuals more control over their personal information and make organisations more accountable for how they collect, use, store and share personal information.  Personal information is any information that can be used to identify you either on its own or together with other information for example your name and address.

There are two main reasons why GDPR has been developed.


There are different data protection laws across Europe, because each country developed its own standards and rules. The introduction of GDPR means that data protection is further standardised, so that you can expect the same rules and the same level of protection wherever your personal information is processed. This also makes it easier for companies to manage your information, as the same rules apply regardless of where they operate.



The use of technology and the volume of personal information collected, processed and shared has risen dramatically over the last few years, and with it the risk of our personal information being misused has increased.  Examples of high profile incidents involving personal information have recently been seen in the telecoms and social media sectors.

GDPR identifies a number of safeguards which organisations have to put in place to protect personal information, and gives you enhanced and new rights regarding how your personal information is collected, used, stored and shared.

For anyone who is questioning how EU law like GDPR operates post-Brexit, it was announced last year that a new Data Protection Bill will in effect implement the GDPR and will reiterate the UK’s commitment to the privacy principles enshrined in the EU regulation. The Bill will result in a new Data Protection Act replacing the 1998 Act. And as and when the UK leaves the EU the new Data Protection Act will replace the GDPR.


What does it mean to you?

GDPR aims to protect all the personal information which an organisation collects, uses, stores and shares about you. Personal information is any information that can be used to directly or indirectly identify you as an individual. Previously this was limited to information  such as your name, address history, phone number etc., but in a world where technology is developing at a fast pace the regulation has widened what is meant by personal information to include such things as IP addresses and social media profiles.

Whilst organisations including Chelsea Building Society and the Yorkshire Building Society Group (YBSG), of which it is part, have worked hard to make sure they comply with the regulation, as a consumer you don’t have to do anything in particular. You might start seeing subtle changes in how organisation interact with you such as cookie warnings displayed on websites, clearer check boxes when asked to sign up to newsletters and promotions, and more easily accessible information detailing how an organisation collects, uses, stores and shares your personal information.

GDPR also provides the following rights to consumers


The right to be informed

This gives you the right to know who is responsible for safeguarding your personal information and how the organisation collects, uses, stores and shares your personal information. All organisations must clearly say who the data controller is when handling your personal information.

The right of access

This allows you to request a copy of the personal information which an organisation holds about you. Prior to GDPR, many organisations charged a fee when dealing with these requests. This is no longer allowed for the majority of requests made. Companies must also provide a response to the customer within 30 days and provide it in an electronic format where possible.

The right to rectification

If any of your personal information is incorrect or incomplete you have the right to ask to have this information corrected.

The right to erasure (right to be forgotten)

This means that you have the right to request that an organisation deletes any personal information it holds about you. There may be compliance or legal reasons which prevent an organisation from fulfilling requests made under this right.

The right to restrict processing

If you feel an organisation is using your personal information incorrectly you can prevent it being used for certain purposes.

The right to data portability

This gives you the right to obtain and reuse personal information you have provided for your own purposes across different services. Organisations must provide you with information you have requested in a machine readable format.

The right to object

You have the right to request that organisations stop some specific uses of your personal information, for example if you don’t which to receive direct marketing.

Rights in relation to automated decision-making and profiling

You have the right to appeal against any computer-only generated decisions about you.

The right to lodge a complaint with the Information Commissioner’s Office (ICO)

All organisations must make it clear that if you are unhappy with a response received about a complaint you have made regarding your rights, you can escalate this to the ICO.

What are we doing?

To comply with the GDPR Chelsea Building Society has carried out the following:
  • We have made updates to our policies and procedures to align with the stricter requirements of GDPR. We have enhanced our processes to ensure your personal information is kept safe and should a problem occur we can fix it quickly so preventing unnecessary detriment to you. 
  • We work with a number of carefully selected parties who may process your personal information on our behalf. We have updated contracts with these parties to ensure they take the same level of care handling your personal information.
  • We have trained our colleagues so they understand GDPR and can apply the regulation correctly when interacting with you and when handling your personal information.
  • We have updated our Fair Processing Notices (also referred to as Privacy Notices) so that you are provided with all necessary information about how we are handling your personal information. These notices can be found in our booklets How we use your personal information and Your Rights and Data Protection and within our application forms.
  • We will be updating these between now and 25 May when the GDPR comes in to effect.
  • We are appointing a Data Protection Officer to monitor internal compliance, inform and advise on our data protection obligations and act as a contact point for data subjects and the Information Commissioner's Office.