With GDPR coming into effect May 25th, we wanted to share some of our processes as to how we manage compliance and regulatory changes with our Credit Union customers.
What is GDPR?
In real terms, it’s the reason you’ve been getting all those re-subscription emails!
The General Data Protection Regulation, coming into force on Friday 25th May 2018, is a law on data protection and privacy for all individuals within the European Union. It also concerns the export of personal data outside of the EU, and the United Kingdom have pledged to stay compliant to this EU law.
What does it mean for Credit Unions?
Even financial institutions have to offer their members the right to be forgotten, meaning you now need to be able to wipe or anonymise accounts from your databases, as well as handover information that members wouldn't have previously been able to access.
The articles included in the regulation which will mean the biggest changes around data protection for your Credit Union are:
- The right to be forgotten (17)
- Lawfulness and processing (6)
- Security of processing (32)
What did our project entail?
In line with our Regulatory Compliance Change Framework, we made sure to engage early with our customers to ensure any changes to our system were in line with exactly what they needed.
Work began early in Q1 2017, with our dedicated Risk & Compliance officer acting as project lead. Shortly after the project began, we engaged with our GDPR Special Interest Group, made up of customers from several Credit Unions who met with members of the Wellington team to discuss necessary changes.
Working closely with this group for two months, we developed our GDPR Matrix - a comprehensive gap analysis between our existing core system and GDPR legislation. This gap analysis was then passed to our development team, and formed the foundation of the changes made to our core system. Following review by our Risk and Compliance Officer, coding by the development team and testing by QA, the changes also went through a Data Protection Impact Assessment (DPIA), a systematic evaluation of the impact that processing would make on the data within the system.
What changes have we made?
We’ve aligned our larger development items with the areas of GDPR which will affect your Credit Union the most - meaning you can easily set data retention policies and apply them separately to reports and documents/images, purge old reports and records, anonymise data, and create data flows, all within your existing system. To accompany the roll-out, customers will receive a user guide, as well as training videos and a GDPR workshop within the next few months. Helping you stay compliant is one of our core concerns, and we want to ensure you get the support you need.
For a more in-depth look at how we project manage big compliance changes that effect your Credit Union, check out our infographic:
Credit Unions have got plenty coming down the line when it comes to regulatory compliance. If you'd like find out more about our approach to upcoming issues, check out our Q1 2018 Compliance Update.