• Bobby Gould

Credit Unions and GDPR: Part 5

Dear Credit Unions, by now you will know that the GDPR or General Data Protection Regulation will come into effect in May 2018. The GDPR is intended to harmonise existing Data Protection laws across the EU. Firstly it will strengthen the rights of citizens around the use of their personal data. It will also increase the responsibility on data processors and controllers when undertaking the lawful processing of personal data of EU citizens. It is important to note that the UK Government has said it will also implement the GDPR even though they are leaving the EU.

Under Article 5 of the GDPR there are Six Principles which set out the responsibilities relating to the processing of personal data. In a series of articles over the coming weeks CMutual will provide Credit Unions with information and definitions under these Six Principles. The principles outline the approach that Data Controllers must take. In our previous articles we described the responsibilities under the First Four Principles and in this article we outline the responsibilities within the Fifth Principle.

The 5th Principle of the GDPR discussed the duration that Data Controllers are allowed to retain personal data. The 5th Principle advises that:

Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary and for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.

It’s clear the 5th Principle imposes a heavy responsibility on data controllers around holding on to personal data and also in the storage of that data. In practice, the 5th Principle means that it will be a requirement on Credit Unions to review the length of time you may lawfully keep members personal data. We must now also consider the legitimacy and purposes for which we now hold members and have policies and procedures in place on how long and why we retain that data. Credit Unions will therefore need to put in place a procedure to delete member data when it is no longer required and indeed may not be lawful to hold that data any more.

This means a policy to archive or securely delete information if it goes out-of-date. This is why it is so important for Credit Unions to now carry out data flow mapping to understand the members data that they currently hold.


CUNA Mutual Group Limited is authorised and regulated by the Financial Conduct Authority (FCA). Reference Number 304814; You can check this on the FCA's register by visiting the FCA's website on or by contacting the FCA on 0845 606 1234. CUNA Mutual Group Limited registered office is at 100 New Bridge Street, London, EC4V 6JA; Registered in the UK under company number 03571106; This site contains information about products and services offered by companies within the CUNA Mutual Group Limited. From this site you can follow links to other sites operated by CUNA Mutual Group Limited companies © CUNA Mutual Group Limited 2017. All Rights Reserved. Accessibility Statement Privacy | T&C’s | Cookie Policy