GDPR (General Data Protection Regulations) are now in force. The regulations bring about significant changes to the data protection rules within the UK. The regulations will effect how you collect, process and store data. With the range of personal data that Credit Unions collect and store the legislation will have a major impact on how Credit Unions operate. The punishment for failure to comply can be significant with the ICO able to raise major fines. The articles below provide further information on the new requirements. It is therefore important that you ensure that you are up to date with the new requirements and have the appropriate policies and systems in place.
We can carry out a review of your compliance. Our report will highlight areas for improvement and provide guidance to help you implement the rules. Under the new legislation you are required to demonstrate compliance and this is one of the ways you can meet this requirement.
We have provided training on GDPR for Credit Union Board and staff. Our training is tailored to the Credit Union and focuses on key areas for Credit Unions to watch out for.
You need to decide on whether you need a Data Protection Officer. This will be the subject of our forthcoming blog.
Your data register will be a key document in preparing for GDPR. Not only will it let you meet your requirement to record the processing you carry out but it will also assist in the preparation of procedures and privacy notices. The process of creating the register will involve examining what data you collect and how you use it. As part of this process you will need to consider what bases you will be using for processing data and their implications. Where consent is used then there will be further considerations to be taken into account. See our blog on preparing for GDPR for more details on a data register.
GDPR needs to be integrated throughout your policies and procedures. There are a number of key requirements of GDPR that need to be included in your policies and procedures such as dealing with data breaches, documentation that should be kept and security of data.
This could be one of the most time consuming aspects of preparing for GDPR. Your privacy notices will increase dramatically in size and there is a number of requirements for their content. More information is contained within our blog on privacy notices.
Contracts with any data processors that you use will need to be updated to ensure they meet the requirements of GDPR. For example they should contain the requirement that the processor informs you immediately of any data loss.
This should include not only a review of data security (both cyber and physical security) but also about how you treat data. This should include:
Staff and directors need to be trained so that they are aware of their duties under GDPR and the rights of individuals. In addition, staff need to be aware of what to do in the event of a data breach or if they receive a subject access request. The useful link section of this site should assist in giving more guidance on GDPR.
There is no excerpt because this is a protected post.