Note:

This area of our website offers information about some of the things we do as a responsible business. For more practical information visit our cookies and privacy pages.


Our policies and practices

In line with the Human Rights Act right and data protection legislation (EU and UK GDPR, DPA 2018, PECR), we go to significant lengths to ensure we are delivering on our accountabilities.

  • We’ll only use data in a way that is specified on our How we use your information page. This explains when we collect personal information and what we do with it, including those times when we have a business, legal or regulatory requirement to share it. We regularly review our policy and use it alongside our ‘just in time’ Customer Advisory Notices. Any significant changes are communicated to individuals in a timely manner.

  • We keep an accurate and up to date Record of Data Processing (RoDP). This details the data that is processed within the Society and ensures that data is only used for the intended purpose and legal basis upon which it was collected.

  • We use only the minimum amount of information needed for the processing of personal data under each defined purpose.

  • We ensure that as far as reasonably practicable, personal information is accurate and up to date.

  • Through the Data Governance Record Management and Retention Standard, we ensure that records within the Society are effectively identified, managed and retained in the right place, for the right period of time.

  • We have dedicated teams who are responsible for ensuring the security of systems and data. All staff (including temporary workers and contractors) understand the importance of keeping data safe and secure, and undertake mandatory annual data privacy training as a minimum.

  • Our security policies govern all relevant business areas and outline how Nationwide protects the confidentiality, integrity and availability of information and systems.

  • We also have a Physical Security policy documenting the approach to managing physical security risk. We take the security and privacy of data very seriously, and undergo regular testing and auditing of these functions, including PCI DSS and external ISO27001 and ISO22301 assessments.

  • We ensure individuals’ rights are always respected in the processing of data. And that systems and processes are in place to ensure data subject rights can be easily exercised through all of our core channels.

  • We never use data in a way that would intentionally cause detriment to a data subject, but we understand that, at times, things can still go wrong. When this happens, we have an Incident Management team that ensures there is a thorough incident investigation and that corrective action is taken. They use well-established incident management, disaster recovery and business continuity plans to ensure the minimum amount of impact or harm. In the event of a data breach, we are committed to notifying data subjects in a timely manner and have clear and accessible mechanisms for individuals to raise concerns about data privacy.


How we monitor and improve our performance

We have an independent Data Protection Officer (DPO), who reports into the Director of Prudential Risk & Compliance. The DPO is responsible for the oversight of data protection activity across the Society and in support of this aim conducts regular review activities, based on ICO standards of good practice.

The DPO prepares and presents an annual review of Data Protection activity to the Board Risk Committee.

We work proactively with the wider financial services industry and the regulator to share good practice and shape responses to new and evolving privacy risks.