Are you ready for GDPR?

The EU General Data Protection Regulation (GDPR) comes in on 25 May

GDPR is the most important change in data privacy protection for 20 years. It will reshape the way organisations approach data handling, and give individuals more rights over information held about them, particularly around access to it and control over how their information is used.

The Data Protection Bill, currently going through parliament, will seek to ensure that post-Brexit the UK is able to guarantee adequate data protection so that the free flow of data between Britain and the EU can continue.

As well as having profound implications for health care providers, the GDPR will affect organisations like the RCN, which process thousands of interactions and transactions every day, generating vast amounts of information. Under the GDPR, breaches could result in fines of 4% of annual turnover, up to £17 million.

Breaches could result in fines of 4% of annual turnover, up to £17 million

The RCN online training package will equip you with the knowledge and skills you need to ensure you are GDPR-compliant.

The training is vital: members trust the RCN to manage their personal data safely and to use it only in ways they have agreed to.

Top ten tips for GDPR

  1. Know what data you have and why you have it. If you don’t need it, delete it.
  2. Don’t keep stuff just because it might be useful. Delete old emails and folders you no longer need.
  3. Don’t use your work email for RCN business. If you don’t have an RCN email address, set up a separate, easily identifiable email address in Hotmail or Gmail.
  4. Complete the RCN online training by 25 May.
  5. Don’t keep your own member lists. All communication to members should be through the member communications centre (MCC), your branch or local office. If you don’t have access to the MCC, arrange your access and training through your local office and use your branch or local office to send your email communications in the meantime.
  6. Record all case work on the RCN case management system.
  7. Use the document viewer on the steward’s portal (see below for more information).
  8. If RCN work isn’t related to a case, remember it’s still good practice to keep it secure.
  9. You can continue to use social media groups, but remember these are broadcast mediums so never use identifiable information.
  10. The fact that someone is a member of the RCN must not be revealed without explicit consent. Being a member of a trade union is classified as a special category of personal data and this is as sensitive as medical records.


The training will give you a comprehensive understanding of the GDPR and should take no more than an hour. Getting it done as soon as possible will help you feel confident in your activity as an RCN rep and will prepare you for any questions members have about how the RCN uses their data.

After the GDPR comes into force on 25 May, new casework will only be allocated to stewards who have completed the online training.

Don’t delay, train today

To support reps, branch and board members to understand and comply with the introduction of GDPR, the RCN has provided online data protection training.

Francis Lavery sits on the RCN UK Learning Representatives Committee and helped design the RCN’s training. He says: 

"The training the RCN has provided opens your eyes to what you need to know and highlights things you might not have thought about.

"It’s been provided to help protect you and ensure good practice so I’d encourage you to embrace the change. Some people don’t know anything about it yet but as activists we should take the lead and become role models.

The training isn’t difficult

"After completing the training I found that I needed to make changes myself but now I hope I’m in a position to guide others. For example, I used to keep emails for too long, and now I’m very aware that I mustn’t copy in people when it’s unnecessary. Once something has been passed on, you lose control of it and in this day and age, everything is so easily published – even on social media. You just don’t know where something’s going to end up. Even if you hope that people will be discrete it’s no longer something you can rely on.

"The training isn’t difficult, a lot of it is common sense – such as always having passwords on your phones or computers and not leaving information where it can be exposed. There will be benefits too, by remembering not to give out a steward’s contact details but signposting members to RCN Direct instead, we’ll become more structured and organised.

"It’s time to think differently and remember that being a member of a trade union is sensitive data. Locally I’m known as Mr RCN so I guess it’s obvious that I don’t mind people knowing I’m a member. But not everyone feels the same way. It’s up to that person to decide if they want to tell their story.

"Doing this training reminded me that using other people’s data is now so commonplace it’s a bit like driving your car – you develop bad habits without even realising it and it’s now time to make changes for everyone’s protection."

Being practical

As part of the RCN’s preparations for the introduction of the General Data Protection Regulations (GDPR), we’ve introduced a document viewer on the steward’s portal. When you open the document in the portal it will open in the document viewer rather than as a Word or PDF document, email attachment or uploaded file. This will protect you from accidently downloading and saving any documents to your local drives.

“We’ve introduced the viewer to help keep members’ data secure,” says Jonathan Bowker, RCN Member Representation and Support Programme Lead. “It’s a simple way to prevent sensitive member data from not being password-protected or being stored on local drives that can be used by others, which is a risk which we need to prevent.”

You’ll still be able to search for specific words or terms when using the new viewer.

Find out more

The Information Commissioner’s Office (ICO) has produced a comprehensive guide to the GDPR.

Alongside the guide, the ICO offers details of “12 steps to take now” and a checklist to help prepare for the GDPR.

See also guidance on the GDPR and the NHS on the NHS Digital website.

Read next

Read next...