The General Data Protection Regulations (GDPR) comes into force on 25 May 2018. GDPR will replace the existing Data Protection Act once it is introduced. The Government has also confirmed that Brexit will not effect its introduction into the UK. The new rules introduce a number of major changes to UK law including:
- Breaches– Under the new rules notifiable breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours.Staff will require training on these rules as for example if there is a loss at 5pm on a Friday then if it is left until Monday morning you only have 8 more hours left to report. For certain breaches the individuals involved and the public may also need to be notified.
- Policies and Procedures– Many of the new rules will require changes to your policies and procedures. In addition, data protection rules will need to be integrated throughout your policies and not just your data protection policy . For example your policies for account opening will need to incorporate the rules regarding disclosures and permission.
- Disclosure– You will be required to disclose far more information on forms regarding how data will be used, how long it will be retained and if it will be held outside the EEA then how it will be secured. It is worth keeping this in mind before ordering too many new forms in early 2018. Online forms will also need to be updated.
- Permission– The rules on obtaining consent for using data have also been tightened up and clear affirmative action will be required from the individual. In other words, pre-ticked boxes, will no longer be sufficient for showing permission has been granted for processing. The rules have also been tightened with regard to obtaining consent for processing data from children which may be important for Credit Unions with junior accounts.
- Access– Individuals rights to access information held about them and how that data has been used will be strengthened and there will be strict timescales for replying to information requests. Again this is an area that will require staff training.
- Accountability– You will be required to be able to demonstrate to the ICO that you comply with the data processing rules.
- Enhanced Rights- Under the act individuals have far greater rights including the right to be forgotten and data portability rights.
- Penalties– The penalties for failure are far more severe under GDPR. Failures can lead to the ICO issuing a fine up to the greater of €20 million or 4% of global turnover.
The rules are therefore going to cause a major administrative burden for many Credit Unions. Credit Union will need to start looking, as soon as possible, at their procedures for collecting, processing and storing data so they don’t suffer the severe penalties under the new regime.
The ICO has started issuing draft guidance and consultations on how the new legislation will apply to the UK. This guidance will prove key in how the new rules will apply and what UK organisations will need to do to comply. We will provide further updates and advice once the new guidance is available. If you require any further advice or support in the meantime then please contact us or see our GDPR resource page.