Credit Unions and GDPR: Part 5
Dear Credit Unions, by now you will know that the GDPR or General Data Protection Regulation will come into effect in May 2018. The GDPR is intended to harmonise existing Data Protection laws across the EU. Firstly it will strengthen the rights of citizens around the use of their personal data. It will also increase the responsibility on data processors and controllers when undertaking the lawful processing of personal data of EU citizens. It is important to note that the UK Government has said it will also implement the GDPR even though they are leaving the EU.
Under Article 5 of the GDPR there are Six Principles which set out the responsibilities relating to the processing of personal data. In a series of articles over the coming weeks CMutual will provide Credit Unions with information and definitions under these Six Principles. The principles outline the approach that Data Controllers must take. In our previous articles we described the responsibilities under the First Four Principles and in this article we outline the responsibilities within the Fifth Principle.
The 5th Principle of the GDPR discussed the duration that Data Controllers are allowed to retain personal data. The 5th Principle advises that:
Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary and for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
It’s clear the 5th Principle imposes a heavy responsibility on data controllers around holding on to personal data and also in the storage of that data. In practice, the 5th Principle means that it will be a requirement on Credit Unions to review the length of time you may lawfully keep members personal data. We must now also consider the legitimacy and purposes for which we now hold members and have policies and procedures in place on how long and why we retain that data. Credit Unions will therefore need to put in place a procedure to delete member data when it is no longer required and indeed may not be lawful to hold that data any more.
This means a policy to archive or securely delete information if it goes out-of-date. This is why it is so important for Credit Unions to now carry out data flow mapping to understand the members data that they currently hold.