#digitalunions (black text against yellow)

Digital unionism means security, compliance and trust

As unions digitise, they gain new powers. And as we all know, with new power comes new responsibility.

Data flows more widely across the union. Work happens across a wider range of devices, platforms and locations. All of this creates opportunity but it also creates risk.

The deeper we get into digital unions, the more often (and the more urgently) security and compliance will show up, with questions of trust, responsibility and organisational legitimacy.

Digital risk is inseparable from union responsibility

When members share their data (to join, ask for advice or seek representation) they are placing trust in the union that it can handle their sensitive information carefully, consistently and responsibly across the whole organisation.

For unions, this responsibility is especially serious. Union membership (or non-membership) itself is special category data, and union casework routinely involves highly sensitive personal information. When security or compliance fails, the consequences are not only legal or reputational. Members can be put at personal risk, and confidence in the union could be badly damaged.

Trust should be built into systems, not added afterwards

Trust doesn’t come from privacy notices or policies alone. It needs to be designed into everyday systems and processes.

Casework shows this clearly. Designing a casework system is not just about workflow or efficiency. It means deciding where sensitive data is stored, who can access it, how long it’s kept, and how the union can respond if a member exercises their rights. If these questions aren’t addressed early, risk simply gets postponed until something goes wrong, when it could be more damaging.

When systems are unclear or inadequate, people work around them. Files end up in personal folders. Case notes are shared through consumer messaging apps like WhatsApp. Surveys or forms are created using unofficial software. Each step may feel harmless on its own, but together they undermine the union’s ability to protect members and meet its legal obligations.

Shadow IT reflects gaps in provision

Shadow IT is often framed as rule-breaking. More often, it’s a signal for unmet need.

Union reps and staff are by nature problem-solvers (and often have a healthy distrust of authorities telling them what to do). When official tools are unavailable, slow or confusing, they’re going to reach for alternatives that are quick and familiar. The problem is not the intent – it is that these tools sit outside union oversight, security controls and data protection governance.

For unions, this creates genuine risk. Shadow IT makes it harder to enforce security standards, respond to subject access requests, or even know where member data is held. Addressing this isn’t just about shutting tools down. It requires leadership decisions about which tools reps and staff actually need, how those tools are communicated, and how new requirements are surfaced and acted on.

Cyber security depends on behaviour, not just controls

Most serious cyber incidents don’t begin with technical failure. They begin with human error. Phishing remains the most common way organisations are compromised, and unions are a frequent target.

Anyone can fall for a phishing attack – especially if they’re under pressure, on a mobile device, or when messages appear familiar and urgent. Treating security as a test of individual vigilance is unrealistic and unhelpful. Building a no‑blame culture and encouraging reporting and swift action are just as important as technical controls.

Compliance is a practical capability

Data protection compliance is often seen as paperwork. In reality, it’s an operational capability.

Unions must know what personal data they hold, why they hold it, where it is stored and who can access it. That is extremely difficult when systems have grown organically, data is scattered across tools, or responsibilities are unclear.

Mechanisms like RoPAs (Records of Processing Activities) are not just compliance artefacts. Used well, they provide visibility that supports safer system design, better decision‑making and quicker responses when issues arise.

Security underpins digital unionism

Security failures don’t stay contained. Breaches can force unions to notify members, regulators and the media within days. Trust can evaporate quickly. In sensitive sectors, the consequences can be severe.

Because unions are about supporting members in their working lives and helping them to exercise their rights, digital unionism can’t be about moving fast and accepting that things will break. It needs to be about building systems members can rely on.

That means:

  • treating security, compliance and trust as design inputs from the start
  • investing in usable, secure tools for reps and staff
  • supporting staff and reps with training and guidance
  • and maintaining clear oversight of where data lives and how it is used

Done well, this work strengthens unions. It makes digital change safer, more resilient and more worthy of the trust members place in their union.


Further reading

To explore these issues in more depth, the following Digital Lab resources focus on security, risk and trust in union digital practice:


About this article

This blog was drafted with the help of generative AI, drawing on the Digital Lab’s 330,000 words of published content, across reports, guides, case studies and blogs. If you’d like to know more about that process and how AI was used, visit the series starter blog here.