The Information Commissioner’s Office has developed a 12 step guide to preparing for GDPR. Step 1 is awareness of the new rules. Hopefully your Board and Management will be aware of the new rules and the steps that need to be taken.
Step 2 is looking at what personal data you hold, where it came from and who you share it with. You need to know these details so that you can consider:
- whether you are processing this under a lawful basis,
- the privacy notices you need to have in place and
- the security of the data.
In this the first of a series of blogs on GDPR we look at some of the key questions within Step 2. Further blogs in this series will only be for clients.
What personal data does your Credit Union hold?
The obvious answer is members data (mainly from application forms, change of detail forms and loan applications). There are, however, other personal details that you collect and process. Examples include:
- Next of kin details will be personal information about this third party.
- Employee payroll and staff records.
Where do you collect the data from?
Not all the information you collect will be directly from the member. Credit reports is a common example of personal data that you will not receive directly from the member. It is important that this is recorded as you have reporting duties with regard to this data.
Who do you pass sensitive data to?
It is easy for Credit Unions to believe that they do not pass sensitive data onto third parties. There are a number of third parties who you will pass personal data to and this includes:
- Regulator- Single Customer View data is just one example of personal data that goes to the regulator.
- Debt collectors- If you use debt collectors then you will be passing them sensitive data to allow them to trace the member as well as details of their balance.
- Auditors and internal auditors- Auditors carry out testing of personal data of members and staff in their tests of loans, shares and wages.
- Payroll processors- If you use a third party to process your payroll then your payroll company will receive personal data on employees including national insurance numbers, data of births, bank account details as well as staff salaries.
The Credit Union should document these areas as part of their data inventory. A data inventory is a key stage in preparing for GDPR.
The Credit Union also has duties to record details of your processing activities. For further information and how we can help please see our GDPR webpage.
We are holding a seminar in Glasgow covering GDPR on 22 February. For more details see our events page.