Credit Unions and GDPR: Part 3
Updated: Feb 1, 2018
Dear Credit Unions, by now you will know that the GDPR or General Data Protection Regulation will come into effect in May 2018. The GDPR is intended to harmonise existing Data Protection laws across the EU. Firstly it will strengthen the rights of citizens around the use of their personal data. It will also increase the responsibility on data processors and controllers when undertaking the lawful processing of personal data of EU citizens. It is important to note that the UK Government has said it will also implement the GDPR even though they are leaving the EU.
Under Article 5 of the GDPR there are Six Principles which set out the responsibilities relating to the processing of personal data. In a series of articles over the coming weeks CUNA Mutual will provide Credit Unions with information and definitions under these Six Principles. The principles outline the approach that Data Controllers must take. In our previous articles we described the responsibilities under the First Two Principles and in this third article we outline the responsibilities within the Third Principle.
The Third Principle of Data Protection within the General Data Protection Regulation describes what criteria a Data Controller must use when collecting information from natural persons or data subjects. As mentioned in previous articles we have provided here on the GDPR Credit Unions members are data subjects.
So any personal data collected by a data controller must be adequate, relevant and limited to what is necessary for the purposes for which they are requesting the data. It’s important to note that any data collected should be the minimum amount of data necessary to fulfil the purpose for which the data is collected and therefore to fulfil the contract entered into by the data subject and the Data Controller. An example might be if you thinking of opening a bank account the bank will seek information from you in order for them have sufficient information to open the account and to provide the customer adequate service on the account. They would not be able to ask for additional information over and above this if not required for opening the account, such as what clubs the customer is a member of, or your spending habits with your credit card, or where you might go on holidays and if you might need travel insurance.
It’s worth noting that many Credit Unions may already be well on the way to GDPR compliance because of the sensible and robust approach that Credit Unions have taken towards data protection and cyber security. If we take The Third Principle here as an example Credit Unions in my view would already be only acquiring data only for the purpose of account opening, issuing and servicing loans.