Dear Credit Unions, by now you will know that the GDPR or General Data Protection Regulation will come into effect in May 2018. The GDPR is intended to harmonise existing Data Protection laws across the EU. Firstly it will strengthen the rights of citizens around the use of their personal data. It will also increase the responsibility on data processors and controllers when undertaking the lawful processing of personal data of EU citizens. It is important to note that the UK Government has said it will also implement the GDPR even though they are leaving the EU.
Under Article 5 of the GDPR there are Six Principles which set out the responsibilities relating to the processing of personal data. In a series of articles over the coming weeks CUNA Mutual will provide Credit Unions with information and definitions under these Six Principles. The principles outline the approach that Data Controllers must take:
- Process personal data lawfully, fairly and in a transparent manner
- Collect for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
(Note: It’s important to note there is also the introduction of a new requirement, being, that it is necessary to demonstrate accountability)
Taking the First Principle and seeing how this will affect us in the Credit Union space, we must be able to show adherence to one of the items of this First Principle. The First Principles asks Data Processers, i.e. Credit Unions, to consider the processing of data with the following in mind:
- A Member gives consent for their data to be used for one or more specific purposes, (i.e. the opening of an account or the application for a loan, or both, or the provision of other CU services to the member.)
- A situation might arise where we would need to pass members data to an Third Party we should also mention this to our members, and get their permission i.e. debt collection services etc should that need arise.
- Processing the member’s data is necessary to comply with a legal requirement of the Credit Union,
- Is it necessary to fulfil a contractual obligation,
- processing is necessary to protect the vital interests of a person,
- necessary for the public interest,
- Or for the legitimate interests pursued by the controller.
Clearly we in the Credit Union can tick the first item 1 here, i.e. that we have the member’s permission to use their personal data for a clear and legal reasons, i.e. to enable the credit union to provide our services to the member. We should of course advise the members what these different services are and why we need their data. We should also advise members that we only retain their data for the purpose of providing these services and no other reason.