GDPR for UNISON branches

The General Data Protection Regulation (GDPR) came into force on 25 May 2018.

GDPR strengthens individuals’ rights to know about, and to control, how their own data is processed. This means you will need to do certain things differently within the branch, including:

  • Being more transparent about what data is being collected for and how UNISON will use it. You should always tell people so they can make an informed choice about whether to provide data.
  • Reporting any data protection breach immediately to The Data Protection team only have 72 hours in which to report certain breaches to the Information Commissioner’s Office (ICO).
  • Reporting any request for personal data immediately. The Data Protection team only have one month to respond to subject access requests and the clock starts ticking as soon as the request is received in branch.
  • Reporting any request for data to be deleted. If the data is no longer needed, the Data Protection team has to comply with an erasure request.

The single most important thing we can do to comply with GDPR is to all use the same membership system to hold data. For branches this means using WARMS. For bulk email, WARMS is compliant with GDPR because:

  • It does not email members who have unsubscribed.
  • It uses up to date email addresses.
  • It does not email lapsed members.

The following guidance provides further information on all of the above and more on how to make your branch GDPR compliant:

If you have any questions, please contact the Data Protection team on