If you process European residents’ data—or have a public website, here are steps toward compliance.
If you think your credit union does not have to comply with the European Union’s General Data Protection Regulation because you don’t serve any EU residents, not only would you would be very wrong, this mistake could be very costly.
The EU GDPR, which took effect on May 25, will impact every U.S. business that processes the “personal data” from EU residents. The regulation focuses on the processing of the data, not the location of the business.
What Does the EU GDPR Require?
The EU GDPR requires entities that process the data of EU residents to obtain specific consent to do so (unless an exception applies). It also provides EU residents with the “right to be forgotten,” allowing such individuals the right to request the deletion of their data.
To carry out these requirements, the regulation requires entities to create data protection policies and, when the entity requires the monitoring of data subjects “on a large scale” (an undefined term), the appointment of a data protection officer.
The regulation requires also entities to notify the EU regulators no later than 72 hours after the entity becomes aware of the "accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to” personal data, unless harm to a data subject is unlikely. Notice must be provided to data subjects only when a breach results in a high risk to their respective rights and freedoms.
What is “Personal Data” and What is Required for Processing?
“Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing of personal data is lawful only if one of the following applies:
- The EU resident provides consent for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Processing is necessary for the purposes of legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (i.e., below the age of 16, though some EU states can lower this to 13).
If one of these lawful purposes does not apply, the entity must first obtain the individual’s specific consent before his/her personal data can be processed.
How Must Consent Be Obtained?
Consent must be specific, and the request for consent must be separate from any other written text. The language used must be “clear and plain.”
The data subject also has the right to withdraw this consent at any time, in a manner as easy as it was to provide it.
What is the Right to Be Forgotten?
EU residents have the right to request the deletion of their data without undue delay when one of the following applies:
- The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- The data subject withdraws consent;
- There is no legal grounds for processing;
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing; or
- The personal data has been unlawfully processed.
Your credit union’s record retention requirements will override an EU resident’s request to delete his/her information, but information not required to be retained for a specific length of time will have to be deleted upon request.
What are the Penalties for Non-Compliance?
The penalties for non-compliance with the GDPR violations are significant. Fines up to €20 million (approximately $25 million) or 4 percent of global annual turnover in the previous financial year, whichever is higher, will be assessed against entities found to have inadequately safeguarded EU resident personal data.
No. Regulation P requires an opt-out for sharing information with non-affiliated third parties for marketing purposes, with exceptions for affiliates and those with whom the institution has a joint marketing agreement.
The GDPR requires consent from EU residents before any information can be processed. Therefore, the privacy notice provided to members will be insufficient to comply with the GDPR.
What Must a Credit Union Do to Prepare and Comply?
1. Amend existing security policies to include the GDPR requirements.
2. Appoint a data protection officer, or at least someone who is familiar with the information obtained and processed, as well as the GDPR requirements.
5. Create a specific consent form for the processing of EU resident personal data (e.g., for marketing purposes, etc.) for EU resident members. Existing EU resident members are not grandfathered, which means consent must be obtained or existing members as well as new ones.
6. Amend marketing plans to ensure EU residents are not included in any mass mailings or email campaigns until their individual consent forms are signed.
7. Review and amend third-party contracts for all third parties that collect and process data on behalf of the credit union. Contracts should be amended to provide specifically how data is protected, as well as the requirements and responsibilities for incident response notification.