The GDPR is new legislation that will replace all current national data protection legislation throughout the EU Member States. This will take effect as of the 25th of May 2018. Credit Unions have until this time to prepare to comply with their new obligations under the GDPR.
Some areas of focus for Credit Unions are as follows:
- Detailed information must be provided to customers on the use and processing of their data. Customers must give consent and also be given the ability to withdraw their consent with ease.
- Customers now have more rights, including the right to be forgotten (they can request to have their data deleted) and the right to data portability (to transfer their data to other service providers).
- Credit Unions must notify breaches within 72 hours to the local data protection authority. Should a data breach pose a risk to customer data privacy, the customer must inform customers immediately.
- Credit Unions will have to appoint a data protection officer to manage the ongoing processing of customer data.
- Credit Unions should also revise the processing of their customer data by 3rd party organisations to ensure the customer rights are not being breached.
Breach of obligations can result in heavy penalties. These penalties are tiered, resulting in fines up to 2% or 4% of global turnover.