Credit Unions and GDPR: Part 4
Dear Credit Unions, by now you will know that the GDPR or General Data Protection Regulation will come into effect in May 2018. The GDPR is intended to harmonise existing Data Protection laws across the EU. Firstly it will strengthen the rights of citizens around the use of their personal data. It will also increase the responsibility on data processors and controllers when undertaking the lawful processing of personal data of EU citizens. It is important to note that the UK Government has said it will also implement the GDPR even though they are leaving the EU.
Under Article 5 of the GDPR there are Six Principles which set out the responsibilities relating to the processing of personal data. In a series of articles over the coming weeks CUNA Mutual will provide Credit Unions with information and definitions under these Six Principles. The principles outline the approach that Data Controllers must take. In our previous articles we described the responsibilities under the First Three Principles and in this third article we outline the responsibilities within the Fourth Principle.
The Fourth Principle of the GDPR is perhaps, in my opinion, the Principle which requires the least explanation as it is self-explanatory.
Personal data must be accurate and, where necessary, kept up to date, every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
In order to comply with the GDPR under Principle Four data controllers must take all reasonable steps to ensure the accuracy of the personal data they obtain from data subjects, who are our members. Put very simply it will be important to ensure that we obtain the correct name and member’s title, i.e. Ms, Mr, Mrs, obtain the correct postal codes and addresses, occupations etc. It is important too that we take all reasonable steps to ensure the data we hold on file is accurate.
Within the Credit Union space this is not a complex process as compared to data controllers, who for example may be acquiring medical information on data subjects, also bear in mind the greater the potential impact of processing the data, the more important the accuracy of it is and therefore the greater the effort you should make to ensure that it is accurate.
Keeping data up to date is also important, a simple example are members addresses. It would show a lack of compliance if we knew a member had changed address but were still sending AGM Reports to a previous address. It is important to mention in our updated GDPR Procedures observance to Principle Four and that the Credit Union takes all reasonable steps to ensure member data is up-to-date and accurate. This could be supported by signage in the Credit Union asking members to “Tell us of any changes to your address contact details” etc. This also supports compliance to the GDPR by Default and Design which is important within the GDPR.
Elizabeth Denham the UK Information Commissioner at the ICO gave a speech at the Institute of Chartered Accountants in England and Wales (ICAEW), in January 2017. She discussed the role of accountability in the GDPR, noting: "We’re all going to have to change how we think about data protection” she went on to say, “The new legislation, (The GDPR) creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”