GDPR, due to come into force across all EU countries on the 25th of May 2018, is designed to ensure we all have more control over our personal data, defined as any information that’s related to an identifiable person. While the depth and breadth of GDPR legislation can seem like a lot to take in, there are six key principles to GDPR that outline the intent of the legislation. But what are they, and what do they mean?
1. Lawfulness, fairness, and transparency.
This guarantees that any data processed by your Credit Union will be done so in a fair, lawful, and transparent matter. Your members must clearly understand what you’ll do with their data once you have it, and are free to ask for more information about what it’s used for at any time.
2. Purpose limitation
Member data is no longer a one-stop-shop. If you’re collecting a member’s data during a loan application, you can only use it for that specified purpose. If you intend on using that member’s data for communications or marketing, you have to make this explicitly clear to the member, and get their explicit consent for their data to be used that way. GDPR means an end to implied consent, and a start of using data solely for specified, explicit, and legitimate purposes.
3. Data minimisation
This is intended to ensure that you hold as little data as necessary on any of your members. You can’t ask questions that aren’t relevant to what you provide, and what products your members are currently making use of – so if they’re solely using the Credit Union for savings, you can’t hold any extra information that may make it easier to sell them a loan in the future.
Staying on top of data can be difficult, but when GDPR legislation comes into effect, it’ll become a legal necessity. You must take “every reasonable step” to ensure of date or inaccurate data is cleansed from your system or updated to the correct information, which could mean a lot of extra work if you don’t start now.
5. Storage limitation
If your members apply for a loan, the data you collect will be identifiable to the applicant – but GDPR introduces a limit to how long that data can remain identifiable. Anonymising data after it’s been processed will have to become part and parcel of how you provide your loans and services.
6. Integrity and confidentiality
You’re probably already dedicated to protecting your members’ data, but it will become more important than ever to have stringent security checks. GDPR also extends what protecting your member data means – apart from theft, loss, or damage, you also have to ensure you protect data from any unauthorised processing.
In order to protect your members and your Credit Union, you need to ensure you're working with all relevant stakeholders both inside and outside your Credit Union to ensure you stay compliant – such a large project requires a detailed implementation plan with a dedicated compliance team and project management. Ensuring compliance to GDPR legislation is not optional, and is not a responsibility to be taken lightly.
Want to find out more about how Wellington IT's compliance and project management teams can help you with GDPR (or any other compliance issue)?