Credit Unions and GDPR: Part 6
Dear Credit Unions, by now you will know that the GDPR or General Data Protection Regulation will come into effect in May 2018. The GDPR is intended to harmonise existing Data Protection laws across the EU. Firstly it will strengthen the rights of citizens around the use of their personal data. It will also increase the responsibility on data processors and controllers when undertaking the lawful processing of personal data of EU citizens. It is important to note that the UK Government has said it will also implement the GDPR even though they are leaving the EU.
Under Article 5 of the GDPR there are Six Principles which set out the responsibilities relating to the processing of personal data. In a series of articles over the previous months CMutual providing Credit Unions with information and definitions under these Six Principles. The principles outline the approach that Data Controllers must take. In our previous articles we described the responsibilities under the First Five Principles and in this article we outline the responsibilities within the Sixth Principle.
As Data Controllers the 6th Principle places the responsibility on Credit Unions to “Ensure a level of security appropriate to the nature of the data and the harm that might result from a breach of security, also to take account of state of technological developments and costs in doing so.
This sixth principle requires some explanation, it means that organisations must design and organise their security around personal data to fit the nature of the personal data being held, and consider as a measure of risk the harm that may result from a security breach. Further interpretation of this principle requires us to take into consideration technological developments and costs in doing so. So if we have very sensitive personal data on members, i.e. data subjects, we should consider the different technologies available to make more secure that data.
The Credit Union should be clear about who in the organisation is responsible for ensuring information security. That person should make sure there is the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff. That person should oversee the preparedness of the credit union to both detect any data breach and to have robust plans in place to firstly prevent and if necessary mitigate any risks.
Appropriate measures, mentioned earlier might be that the credit union considers ISO/IEC 27001:2013 which is an independent Information Security Management System which is an internationally recognised good-practice information security framework with an accredited certification. Adapting these standards creates an environment of data protection by default and by design and key requirement of the ICO in the UK.