GDPR Support

GDPR (General Data Protection Regulations) are now in force. The regulations bring about significant changes to the data protection rules within the UK. The regulations will effect how you collect, process and store data. With the range of personal data that Credit Unions collect and store the legislation will have a major impact on how Credit Unions operate.  The punishment for failure to comply can be significant with the ICO able to raise major fines.  The articles below provide further information on the new requirements. It is therefore important that you ensure that you are up to date with the new requirements and have the appropriate policies and systems in place.

How we can help


We can carry out a review of your compliance. Our report will highlight areas for improvement and provide guidance to help you implement the rules. Under the new legislation you are required to demonstrate compliance and this is one of the ways you can meet this requirement.

Credit Union Business Planning


We have provided training on GDPR for Credit Union Board and staff. Our training is tailored to the Credit Union and focuses on key areas for Credit Unions to watch out for.

GDPR Toolkit

Click the icon above for more information on our GDPR Toolkit.

Key steps to preparing for GDPR

You need to decide on whether you need a Data Protection Officer. This will be the subject of our forthcoming blog.

Your data register will be a key document in preparing for GDPR. Not only will it let you meet your requirement to record the processing you carry out but it will also assist in the preparation of procedures and privacy notices. The process of creating the register will involve examining what data you collect and how you use it. As part of this process you will need to consider what bases you will be using for processing data and their implications. Where consent is used then there will be further considerations to be taken into account. See our blog on preparing for GDPR for more details on a data register.

GDPR needs to be integrated throughout your policies and procedures. There are a number of key requirements of GDPR that need to be included in your policies and procedures such as dealing with data breaches, documentation that should be kept and security of data. 

This could be one of the most time consuming aspects of preparing for GDPR. Your privacy notices will increase dramatically in size and there is a number of requirements for their content. More information is contained within our blog on privacy notices.

Contracts with any data processors that you use will need to be updated to ensure they meet the requirements of GDPR. For example they should contain the requirement that the processor informs you immediately of any data loss.

This should include not only a review of data security (both cyber and physical security) but also about how you treat data. This should include:

  • checking you are not collecting any data that you do not need.
  • considering if all the data you have collected needs to be retained for the same length of time (does a credit check need to be kept for as long as a loan agreement for example)
  • Encrypting devices where possible
  • Ensuring reports do not include unnecessary personal data and use pseudonyms where possible.

Staff and directors need to be trained so that they are aware of their duties under GDPR and the rights of individuals. In addition, staff need to be aware of what to do in the event of a data breach or if they receive a subject access request. The useful link section of this site should assist in giving more guidance on GDPR.

Recent GDPR & data protection articles

Preparing for Brexit

Brexit is fast approaching. No one knows what will happen or all the implications but some planning points to consider are set out below: Data

Read More »

Retention Periods

With the introduction of GDPR there has been many Credit Unions raising questions as to how long documents should be kept.  The general requirement under

Read More »