MARKS AND SPENCER GROUP PLC
DATA PROTECTION AND PRIVACY POLICY
OUR KEY PRINCIPLES
M&S is committed to complying with all applicable data protection and privacy legislation when
collecting and using personal data of customers, colleagues and others. In summary, this means we:
(i) keep personal data secure and protected against unauthorised access or disclosures;
(ii) handle personal data in a fair and transparent manner; and
(iii) respect the privacy and data protection rights of individuals.
WHY IS PERSONAL DATA IMPORTANT? The Data Protection Policy for colleagues provides
clear guidance on how personal data must be
As a large retail business with millions of customers treated, identifies key do’s and don’ts, and contains
and thousands of colleagues in the UK and information about where to get further advice and
overseas, M&S collects and handles large volumes how to report or escalate issues.
of personal data. This is necessary for us to run our
Colleagues must also comply with the Acceptable
business, including managing employees, keeping
Use Policy which sets out the rules on appropriate
our customers safe and trading in our stores and
and safe use of M&S systems and/or devices.
online. Effective use of personal data is particularly
important to ensure we offer and supply products Data Protection Officer’s team
which best meet our customers’ needs and
M&S appointed a Data Protection Officer (“DPO”)
become a fully data driven and digital business. We
before the GDPR came into force, and the DPO’s
recognise that whilst personal data is a critical
team is principally responsible for ensuring that
business asset, we must utilise it in a way which
appropriate compliance controls and procedures
respects individuals’ rights and complies with our
are in place. The DPO is supported by a Deputy
legal duties.
DPO and a network of Compliance Managers
M&S is committed to complying with all applicable embedded across our business who are responsible
data protection laws including: for day-to-day compliance.
UK General Data Protection Regulation; and The DPO team is also responsible for responding to
Data Protection Act. requests by customers, employees and other
individuals exercising their data protection rights.
M&S keeps fully abreast of all guidance issued by
the UK’s data protection regulator, the Information The DPO team works closely with the Cyber
Commissioner’s Office. Security team to ensure appropriate data security
controls are applied to personal data.
Any breach of our legal obligations can have very
serious consequences including: Transparency and fair processing
exposing customers and employees to damage To comply with our duties to process personal data
and distress; in a fair and transparent manner, and comply with
individuals’ rights, we provide appropriate data
enforcement action and multi-million pound
privacy notices explaining how personal data is
fines being imposed on M&S; and
used by M&S. The two main notices for customers
loss of customer goodwill and trust. and employees are provided in the M&S Privacy
Policy (published on our customer website) and
the M&S Colleague Privacy Policy (published on
DUTIES AND RESPONSIBILITIES
our intranet site) respectively.
Colleague responsibilities Suppliers and service providers
All colleagues have a personal responsibility to help We require any supplier, service provider or other
M&S comply with Data Protection and Privacy laws. third party that processes personal data on behalf
In particular, colleagues must comply with our Data of M&S (defined as a “data processor”) to enter into
Protection Policy for colleagues, and ensure they a contract which includes appropriate data
complete mandatory data protection training each protection provisions. This includes the legal
year. clauses required under the GDPR as well as more
detailed data security obligations where
1
� MARKS AND SPENCER GROUP PLC
DATA PROTECTION AND PRIVACY POLICY
appropriate. Our Cyber Security team will also Assurance activities undertaken by our
conduct pre-contractual due diligence and Compliance Managers, including conducting
subsequent audits where proportionate, in order to Data Protection Impact Assessments which
provide assurance on data security. identify risks and mitigating actions.
Information Security Management
REPORTING AND QUERIES
Our Cyber Security team operate to maintain
appropriate data security controls for personal data If you have data protection queries, concerns or
and the systems in which it is held. This includes need advice, please contact the Compliance
monitoring and assessing threats and responding Manager for your business unit or the DPO’s team
to attempted attacks on our systems. We have by emailing DataProtectionOfficer@marks-and-
procedures in place to manage data security spencer.com.
incidents appropriately, including making
If you believe there has been a breach of M&S data
appropriate notifications to regulators where
security resulting in access to, or loss of personal
required. We also conduct data security breach
data held in our systems (or those operated for us
exercises on a regular basis.
by third parties) please report this to the Cyber
Security team immediately by either of the
COMPLIANCE following:
Email:
All colleagues must comply with the relevant
[email protected].
policies and any failure to do so will be treated com
seriously. Non-compliance may result in disciplinary
procedures up to and including dismissal. Telephone: 0044 2087 185151
We monitor compliance using a range of measures
FURTHER GUIDANCE DOCUMENTS
including:
Training completion statistics Please refer to the following documents, published
Complaints by customers, employees and on the People Hub section on the intranet, for
others further information:
Investigations by the ICO Data Protection Policy for colleagues
Queries and requests for advice Acceptable Use Policy
FURTHER INFORMATION
Policy Owner Nick Folland, General Counsel
Compliance Lead Sarah Dickson, Data Protection Officer
Published / Effective from March 2023
Review frequency Annually
Next review date March 2024
