Dear Credit Unions, by now you will know that the GDPR or General Data Protection Regulation will come into effect in May 2018. The GDPR is intended to harmonise existing Data Protection laws across the EU. Firstly it will strengthen the rights of citizens around the use of their personal data. It will also increase the responsibility on data processors and controllers when undertaking the lawful processing of personal data of EU citizens. It is important to note that the UK Government has said it will also implement the GDPR even though they are leaving the EU.
Under Article 5 of the GDPR there are Six Principles which set out the responsibilities relating to the processing of personal data. In a series of articles over the coming weeks CUNA Mutual will provide Credit Unions with information and definitions under these Six Principles. The principles outline the approach that Data Controllers must take. In our last article we described the responsibilities under the First Principle and in this second article we outline the responsibilities within Principle two.
The Second Principle for data processing within Article 5 refers to the collection of personal data by data controllers and processors. In the case of Credit Unions this refers to members personal data. Article 5 makes it clear that personal data is collected for specific, explicit and legitimate purposes. It goes on to say that that processing of personal data should not be incompatible the purposes for which it was collected. That said further processing for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the Second Principle.
More simply put this Second Principle of data protection means there must be clarity from the outset as to why the personal data is being collected by the data controller and what it intends to do with the collected data. It’s important to note here that it is not permitted to add in additional statements such as, “to meet other business purposes”, or for other business activities now or in the future. Clearly what is required within this Second Principle is clarity for the member as to why we are seeking their personal data.
For credit unions it may involve a new look at account opening forms and loan application and any other means by which we collect member’s personal data.