Removing Barriers Blog

CUNA & WOCCU Team Up to Discuss European Union's Data Protection Regulation
Posted May 31, 2018 by CUNA Advocacy

Yesterday afternoon, CUNA hosted a webinar with the World Council of Credit Unions (WOCCU) to discuss the European Union's (EU) General Data Protection Regulation (GDPR) - which became effective on May 25th.

Lance Noggle, CUNA Senior Director of Advocacy for Payments and Cybersecurity along with Andy Price, World Council's regulatory counsel and Hal Scoggins of Farleigh, Wada and Witt, presented.

The speakers discussed the regulation, which purports to apply to companies anywhere in the world with customers or members living in the EU.

These regulations could potentially apply to American entities that process the personal data of EU residents when offering them goods and services. The term “offering” is determined on a case-by-case basis.

While there is no express civil enforcement mechanism in the GDPR itself, international law will govern the enforcement of any civil penalty.  The Federal Trade Commission indicated in the adequacy determination that it will use Unfair and Deceptive Practices to enforce penalties, but there is no rule expressly mandating compliance with the GDPR.  Therefore, how, if at all, these provisions will be enforced against US credit unions will be determined over time.  

Key compliance requirements under the GDPR include:

  • Business accountability measures that include data protections officers, record maintenance requirements, privacy impact assessments, privacy by design and default for all data collection systems, privacy policies, controller and processor responsibilities, restrictions on transfers to third countries, proof of compliance and mandatory appointment of a data protection officer in certain circumstances;
  • Requiring notification of a data breach to a supervisory authority within 72 hours (subject to conditions) and notification to affected data subjects without undue delay (with certain exceptions;
  • Demonstration of consent in a clear, intelligible manner, with the right to withdraw consent by the data consent. Existing consents may not be valid;
  • Defined consumer rights that include disclosure of data collection, right to access to records and purpose of data collection, right to restrict processing, right to recertification and erasure, right to data portability, right to lodge a complaint, right to legal remedies, right to object to profiling and penalties for violations.

CUNA members can view a recorded version of thew webinar, available for free, here