Data Protection for Credit Unions
First Compliance have a depth of experience with Credit Unions and deliver ‘scale appropriate’ advice to minimise risk relating to GDPR and your data protection obligations.
Our services for Credit Unions fall into one of three categories
- Data protection advisory; expert support for the in-house representative, and practical advice on all data protection related areas for Credit Unions.
- Data protection services; gap analysis, policy and process documentation, process re-engineering, compliance monitoring, incident support, risk assessments, impact assessments.
- Outsourced DPO services; including outsourced Data Protection Officer DPO services or Representation.
“We have found them easy to deal with …. have a range of legal, technical and Credit Union experience that means they understand the risks associated with data protection for credit unions …. a robust process which is appropriate for the scale and nature of Unity Credit Union and I would recommend Paul to others who need support with Data Protection.”
Pat Owens, CEO Unity Credit Union
Recent Data Protection fines that are relevant to CU’s
Two Data Protection fines of note to CUs over the last 3 months;
€107K – Danish Cancer Society – Insufficient technical and organisational measures to ensure information security. Notably, they did not maintain the standards that they set in their own documentation.
€34K – Hippius ehf Iceland – Electronic surveillance (cctv) of staff in work and insufficient transparency (notices) relating to the monitoring devices. They also impeded the data protection authorities access to data during the investigation.
How to avoid inadvertent ‘electronic monitoring of staff at work’
It is unlawful to electronically monitor staff at work except in special circumstances where the rights of other subjects outweigh those of the employee, or the service being delivered warrants such surveillance. Should you monitor staff in an unlawful manner, even inadvertently, this can have serious consequences in the context of staff grievances.
Most solicitors or citizen advice bureaus engaged to advise a member of staff on foot of a grievance will suggest an Access Request. However, should this reveal unlawful electronic monitoring of staff, even if it is not directly related to the grievance, this information is likely to be impactful in a tribunal or court setting.
The top items that we would recommend reviewing are;
- The use of cctv. It is unlawful to use cctv for the monitoring of staff at work in most instances, and where it is appropriate, the purpose for this monitoring must be clearly communicated with the employees. The two best actions that you can take to protect yourself against the inadvertent use of cctv in this manner are to;
- complete a detailed audit of all cctv cameras, monitors and signage, and adjust your system to ensure compliance and
- provide training to staff to ensure that they do not use images seen on a monitor in a manner that will expose the CU to harm.
- The use of voice recording. This is electronic surveillance and is often overlooked. Care should be taken, particularly with outgoing calls, to ensure that calls are being lawfully recorded. This means that staff need to be aware of the recording at all times and to have been informed of their rights.
- The use of biometric systems for access or timekeeping. These systems need to be assessed to ensure that processing is lawful, and in most instances this requires consent. Lawful consent must be freely given and in the context of employment, this typically means that there must be an alternative that staff can freely elect to use.
Addressing each of these issues is typically a once off action and will reduce the risk of ‘electronic monitoring of staff in the workplace’ being used against the CU in the event of a grievance.
If you need assistance to review your electronic surveillance systems we will be pleased to help.
What an effective GDPR gap analysis should include
The quality of gap analysis, maturity or compliance assessments can vary significantly and this brief piece looks at what an effective analysis looks like and why detail matters.
What an effective analysis looks like
A properly constructed maturity assessment for a CU generally has three distinct elements;
- Review of compliance documentation; principally data protection policy, retention policy, privacy notice, record of processing activity, data catalogue detailing access and retention requirements, and contractual arrangements with members, staff and suppliers.
- Analysis of the CU by its individual functions; General (lawful processing, policies & notices), membership, loans & credit control, insurance or other services, staff, marketing, suppliers and IT. Your CU may have one or more additional elements. This should include a review of the lawful basis for the obtaining and processing of data for each purpose.
- A detailed analysis. This means that for each issue identified there is;
- A description of the issue
- Detail of the reason why this is an issue (the specific point of law or risk to the Controller)
- Granular instruction on the action required to mitigate the issue
- A measure of the risk to the CU associated with each item
This structure allows the CU to identify what practical actions need to be taken and enables the CU to engage the appropriate resources.
Why detail is important
A high level review that confirms that the basics are in place may be of comfort, but is unlikely to equip the CU to mitigate against risk from data protection regulation. Detail is required to address the individual issues and to protect the CU from harm.
In our experience, most CU’s in Ireland are aware of their responsibilities and have processes in place to manage personal data in a responsible manner. The issue is how good those systems are and what actions can be taken to reduce the CU’s exposure to risk.
State Authority Access Requests – Why the process is important
Data released to a state authority needs to be managed in a structured and lawful process. In the context of a prosecution, defence lawyers will always test the legality of the process by which data was obtained with a view to having it dismissed. If the process is not properly documented, or the defence considers it worth fishing for an infringement, the CU officer that released the data is likely to be called as a witness.
Where the data is a key element to a prosecution (e.g cctv identifying the person or transaction records that implicate a person) is proven to have been unlawful obtained, it will most likely destabilise the case and expose the CU to;
- Loss of reputation
- Possible costs
- A significant distraction and loss of time for the CU
The key elements of the good management of State Authority Access Requests are;
- Have an individual identified within the CU to manage state authority access requests.
- Have a documented and structured process in place.
- In the absence of a court order, make sure that the relevant law under which the data is requested is quoted to the CU and recorded prior to the release of data.
- Detail is important. Always be mindful that this could end in court with you as a witness.
- Document the request and the formal identity of those making the request. A template ‘state authority access request’ form is included in the documentation available from First Compliance upon request.
- Taking time to get the process and information right is time well spent. In a court setting, information that has taken some time to obtain but is accurate is infinitely more valuable than information that is fast but potentially compromised.
These simple actions will help the CU to avoid a potentially unlawful release of data and enable you to manage these events with confidence.
Recent GDPR fines that are relevant to CUs
These fines create a precedent for our data protection commission and for any civil cases that may result from these types of incident;
Un-named entity – January 2021 France – €150K for a Controller and €75K for a processor. Insufficient security measures. User identifiers and passwords were compromised at a large scale e-commerce site and used for credential stuffing attacks. The relevance of this to CUs is the allocation of the penalty. Where a processor is complicit in the loss of data, it is the Controller that ultimately carries the brunt of the responsibility and liability.
It is important for CUs to reassess data protection agreements that they have in place with IT providers, particularly for core systems, network providers, credit rating, analytics or other online services. A well constructed data protection agreement laying out the Controller’s instructions will serve to protect the CU from liability in the event of a breach.
Medical University of Silesia – January 2021 Poland – €5,500 due to a failure of breach process. This arises due to a failure to adequately risk assess and identify a breach as high risk and to inform the Subjects in a timely manner (72 hours from becoming aware). It is important for CUs to have a process in place to assess the severity of breaches and to act in good time.
ING Bank – December 2020 Romania – €3K, Failure to keep data accurate and up to date. A customer closed their last remaining service with the bank (a current account in 2017), however, ING closed that service and not the status of the business relationship. This resulted in communication with a Subject that had already cancelled their relationship.
CUs need to be aware that further unnecessary communication with former members, using data provided while they were members, will create an exposure to a fine in relation to each person that receives an unlawful communication.
Simplifying the Data Protection Process – 6 Top Actions
A year and a half since the introduction of GRDP we now know much of the early guidance was over engineered. In our experience with Credit Unions we’ve seen processes that fail to fully protect against risk from data protection and a number of areas that are commonly overlooked. Here are our top 6 areas for simplification and risk reduction.
We still see many Credit Unions with multiple Privacy Notices. A CU should have a single privacy notice for new members, loan applicants or any others engaging with the CU. Provision of a privacy notice needs to be acknowledged once and evidence held on file. According to the legislation, there is no further notification obligation if “the data subject already has the information” Article 13.4 of GDPR. However, it is prudent to use an further ‘acknowledgement tick boxes’ at certain times.
A move to reduce unnecessary paperwork will save time and money, and help to take the mystique out of data protection processes.
Consider your Requirement for a Data Protection Officer (DPO)
There is no legal requirement for most CUs to appoint a DPO. Current appointments are on a voluntary basis. A DPO is a statutory role and carries many obligations and liabilities as well as a number of constraints. If you are considering this requirement for your CU, a data protection representative, supported by an industry expert, will typically provide a more effective and less costly solution.
This style of arrangement is easier to manage, exposes the CU to less risk and allows the CU to tap industry expertise without the overhead of further internal up-skilling.
Management of Access Requests
We see widespread treatment of Access Requests in a legalistic manner. This is often not to the benefit of the CU and we would normally recommend that CUs try to correct the root cause of why a person is looking for their data, rather than focus on the legal requirements. Picking up the phone to understand the problem, even where there is a solicitor involved, is advisable and usually delivers better outcomes.
Management of Access Requests should also be supported by;
- A documented Access Request process that has less legal jargon and more practical guidance and
- Practical training
Additionally, State Authority Access Requests – a request made on behalf of the state – will need a separate process to protect the interests of the CU in the event of data released being contested in court.
And lastly, there are some times when it is advisable to seek help, and the issue of what you can and cannot disclose can be a minefield to someone who does not deal with this on a daily basis. We would encourage you to speak with us at an early stage if you need assistance with an Access Request.
Maintain an operational risk record
Many CUs do not operate a simple risk record that risk assesses data protection decisions made by the CU. This covers issues like the acceptance of particular forms of IDs, the management of nomination information, data relating to vulnerable persons, voice recording decisions and other issues where a judgement is required.
These items should be risk assessed and signed off by the risk/compliance committee. It is a simple process, adds real clarity and will form the backbone of a defense in the event of one of these decisions being contested in a legal setting.
Review Electronic Surveillance
CCTV; Inadequate management of CCTV is a common exposure for Credit Unions. Of particular note is the;
- Monitoring of staff at work
- Recording in public areas
- Display of live feeds on monitors within the building
This is particularly relevant in the event of a legal action against the CU by a member of staff. An audit of each camera, its purpose and notices, and corrective action can resolve this exposure. It is a quick, inexpensive and an easy win.
Voice Recording; It is apparent that many CUs are blanket recording voice calls on the basis of a requirement by the FSPO to provide evidence in the defense of a claim. On the other hand, personal calls, calls where Subjects may reveal Special data or credit card details, and outgoing calls without privacy notices may be recorded.
The management of voice recording is a well understood field and professional support to review related process is advisable. This will reduce the CU’s exposure to risk.
Document clear Data Structures
A clear vision of what data is being processed by a Credit Union, who has access and when that information should be deleted is essential. It is advisable to present this type of information in a simple and understandable grid format. This document should represent what the CU needs to deliver to be consistent with law, not the restrictions imposed by current system providers.
This action will;
- Provide greater clarity to staff when considering the destruction of data
- Arm the CU with a clearly articulated vision when discussing options with a system provider
- Assist with the tagging of documents when using a document management system
- Document access control and data deletion structures in accordance with Article 30 of GDPR
We have developed these structures for other Credit Unions and if you could benefit from help with the development of a data and documents schedule for your CU we will be pleased to assist.
These 6 actions
All Credit Unions can advance the maturity of their GDPR safeguards and simplify their processes by considering these factors. If you could benefit from professional assistance with any of these issues please feel free to reach out to First Compliance.
Why CUs need their own Data Protection Agreement with Suppliers
Terms and conditions provided by any suppliers are designed by their legal advisors to protect their interests. Where a supplier is a Processor of a CUs personal data these terms are of greater significance and can expose the CU to considerable risk. A Processor has an obligation in law to take instruction from the Controller and the absence of such instruction from CUs has allowed suppliers to define the arrangement. These risks are;
- Retention of personal data; This is normally defined by a supplier to ensure that they do not fall foul of their commitments. The CU is liable for this data and in the absence of control imposed by the CU is exposed to liability in the event of a breach by the supplier.
- Reporting; Conditions around the reporting of breaches, management of access requests and access to data for audit purposes should be defined by the CU.
- Liabilities; A Credit Union is a Controller and cannot outsource the responsibility for Data Protection obligations. A processor is obliged in law to take instruction from the CU and the lack of such instruction form the CU will reflect poorly in the event of regulatory inspection.
Impact of not addressing this issue
A Controller can outsource processing functions, but cannot outsource regulatory responsibility for personal data. This means that the CU is ultimately liable for the actions of their Processors. Without a written agreement in place that represents your interests, the CU is at the mercy of an agreement written to protect the interests of the supplier.
This exposes the CU to un-necessary risk in the event of a complaint to the regulator or a claim as a result of actions by the supplier.
Prepare a Data Protection agreement for Suppliers, whether they are Controllers or Processors (a single document for both is advisable) and implement it with suppliers. This is an easy win and recommended for all CUs.
Reason; Experience in the CU and many others sectors has demonstrated that many organisations have not been in control of the Data Protection elements of their supplier contracts. In contrast, supplier legal advice has been generally good. The implementation of a balanced agreement with suppliers will reduce exposure to risk and will serve the CU well in the event of a claim.
If you need assistance with the implementation of a Supplier Data Protection Agreement we will be pleased to help.
New enforcement relating to Cookies
All businesses in Ireland have been put on notice by the regulator to bring their use of website Cookies up to date by the 5th October or face enforcement action. This has been a measured notice from the DPC that gave 6 months notice for businesses to get their processes in order and we can expect swift action thereafter.
What you need to know:
- consent from the website user, or,
- where Cookies are necessary, to provide clear and comprehensive information which is prominently displayed, including the purpose for processing e.g. in a prominent banner. This relates to Necessary cookies only.
- Consent cannot be bundled, it must be per purpose
- Consent must be explicit i.e. not implied or pre-ticked to ‘on’
- Analytics software is not Necessary and requires consent
- A separate cookies policy is advisable
The DPC will carry our Regulatory inspections following the 5th of October. This will result in fines and the names of offenders being published.
The relevance of Schrems V DPC (Facebook case) ruling on CUs
The use of Privacy Shield as a lawful mechanism to transfer data to the US has fallen. There are three effects of this ruling on CUs in Ireland. They relate to Suppliers, the use of EU Standard Contractual Clauses for the international transfer of personal data and Brexit.
Including your operational system, networks, voice recording, video conference, ID vetting, risk/financial services and advisors. Where any of these suppliers are using third parties to develop, store, provide backup services or to transmit personal data belonging to the CU, and these sub-suppliers are American corporations (which is often the case) you have an obligation to ensure that you data is being processed lawfully.
The questions to ask are;
- For all suppliers who are ‘Processors’ – a list of all their suppliers that process your data, and where such suppliers are not in the EEA, the legal basis for transfer (they are obliged to provide this to you),
- For all suppliers (Processors & Controllers) – confirmation that they do not rely upon Privacy Shield as a legal basis for the processing of your data. this applies to all levels of their supply chain.
A documented record of these two actions will serve you well.
The use of EU Standard Contractual Clauses SCCs for the international transfer of personal data
The use of SCCs will become more prevalent in the immediate future, however, their validity depends on the adequacy of the data protection practices at the data recipients location. This has been called into question relating to the US. Having a written agreement is not good enough, it needs to operate effectively in reality.
This is not something that an individual CU is going to have a meaningful role in addressing, however, CUs need to be aware of the issue and actively monitor events as they unfold. Almost every business in Ireland relies on online US technology in one way or another (e.g. CU data on Apple or Android mobile devices or video conference) and the CU’s data protection representative should actively monitor this issue.
Brexit & international transfer
If the UK keeps to it’s word to exit at the beginning of 2021, and does not arrive at an agreed position with the EU over the coming months, this will result in a hard break. The UK will be considered like any other international location without an Adequacy Ruling much like the US
Interaction with UK entities will also require at a minimum SCCs and in the mean time the lowest risk avenue for CUs is to avoid contracts with UK organisation with whom they may have to share Member data.
Always be assured that Members resident in the US or the UK that request you to transfer their data (statements and correspondence) to them are effectively providing you with authorisation. It is important to keep a record of this request.
note; We recommend that post to non-EEA locations containing personal data is sent by registered post.
Implication of recent Data Protection fines on CUs
Four Data Protection fines of note to CUs over the last 3 months;
- €24K for a third person receiving a bill with personal details [name, address, acc No.] of another (Spain 2/7/2020)
- €2K fine for use of cctv that recorded a public space (Spain 20/7/2020)
- €5K for failing to take adequate technical and organisational measures to protect Special Data from unauthorised disclosure (Spain 20/7/2020)
- €288K for retaining ‘a large amount of customer data which were no longer relevant to the purpose of collection’ and poor data management – not using encryption (Hungary, 12/6/2020)
Fines issued in other EU jurisdictions are subject to the EU consistence rules and set precedent for actions in Ireland. The fines selected above are relevant to CUs in Ireland and the implications are obvious to readers of this column.
While CUs in general pay good attention to issues relating to the unintended exposure of member data, more attention is often needed with the management of the retention/destruction of historical data, the use of cctv and the control of Special data. This exposes a CU to threat in the event of an action taken by a member or by staff.
The risk from these items can be mitigated by;
Retention/destruction of historical data
- Attention to the retention of expired loan data (including not-drawn-down loans, declined loans or abandoned applications), particularly relating to supporting documentation and to 3rd party data. It is advisable to develop a catalogue of data and documents. This is well established at this stage and should be completed by CUs of all sizes.
- Obtain and process cctv data lawfully when covering public areas. This typically involves a combination of masking, better notification, acknowledgement by a recognised public authority, or consent from a 3rd party property owner
- Review use of internal cameras, monitors and notices to ensure that this recording cannot be leveraged in a action against the CU by an employee
- In particular health data (staff & members) and trades union membership (on payslips). Insure that only necessary data is retained and that staff are trained to redact prior to scanning or filing documents.
If you need a data protection maturity assessment, or expert assistance with any of these issues, please contact First Compliance.
Nominations – remaining lawful in the context of GDPR
There has been much time spent debating the impact of GDPR upon Nominees, and in particular the requirement relating to the obtaining and the provision of access to nominee information. We provide a concise analysis and recommend a 4 point plan to minimise the exposure to a Credit Union.
What are the data protection issues with nominations
The key considerations relating to the lawful processing of nominee data are as follows;
- Obligation to inform Subjects of personal data obtained indirectly.
- Denial of access to nominees on foot of an access request.
- Providing members access to their nominee details.
We have examined the management of obligations relating to Nominees in the context of the Credit Union Acts, the Succession Acts, the exceptions to disclosure provided for under GDPR and Irish legislation. None of these provide particularly ideal justification to administer nominees in the manner commonly used today.
Actions to mitigate against risk
Considering this position and the almost universal position of Credit Unions to continue to manage nominations in the same manner, we suggest that you consider the following actions to demonstrate due consideration of the rights of the Subject (the nominee) and to protect the interests of the Credit Union should they become the test case in this regard.
Actions to protect the position of the Credit Union include;
- Document an operational risk assessment with a particular focus on the three elements listed above.
- List the safeguards that have been put in place.
- Implement a standard notice relating to Nominees that is to be included in all Access Request responses.
- Re-format the nomination form to bring it into line with the requirements for a document that is subject to the Succession Acts (the requirements for a will).
Retention of nominee data
Article 21.5 of the Credit Union Acts state that each Credit Union shall keep a record; (a) of the names of all persons nominated by it’s members under subsection (1) and such other details as will positively identify the nominees; and (b) of all revocations or variations (if any) of nominations under that subsection. We suggest consideration of the following process to satisfy these requirements and balance them with your data protection considerations;
- Record nominees in a format suggested in point 4 above.
- Create a separate form for Revocation. It should confirm the wish of the member to revoke the previous nomination and the date that that nomination was issued in the first instance. Signed and dated.
- In the event of a member wishing to appoint new nominee(s); retain a copy of all revocations and of the current nominee form only. i.e. no personal data relating to previous nominees.
- ‘Variations’ are to be attached to the current nomination.
A hard Brexit – key actions for CUs
The UK may be outside of the EU in the near future and this will require safeguards to be put in place by organisations in Ireland before they transfer personal data to the UK, including Northern Ireland. We summarise your legal obligations and the simple actions required to ensure that your Credit Union is not exposed.
Transfer to countries outside of the EU requires one of the following;
- An Adequacy Rulingby the EU. This ruling judges the third state’s data protection as adequate for the processing of EU personal data without additional action e.g. Switzerland or New Zealand.
- Appropriate Safeguards, these include among other things
- An EU standard data protection clause between the organisations.
- Binding corporate rules.
- Approved codes of conduct.
- Failing the above in specific casesrelying on consent from the subject, or the performance of a contract with the Subject.
The awarding of an Adequacy Ruling to the UK in the event of a no deal Brexit is not a given. The enactment of legislation granting powerful surveillance and retention powers to UK policing authorities in 2016 has already been judged as inconsistent with EU regulation and may prevent a full adequacy ruling.
Note, The UK has already stated that it is permitting personal data to flow freely from the UK to the EU.
Advance planning that is likely to minimise exposure to the Credit Union in the event of a hard Brexit includes;
- Assess your IT systems and ensure that you are not transferring personal data to the UK (e-mail, operating systems, analysis systems, insurance, storage of voice or cctv).
- Where a written instruction has not been already received, write to all members who have requested their documents to be sent to the UK to confirm that instruction in writing.
- Amend your membership agreements to state that instructions to transfer data outside of the state are considered an expansion of their agreement with the Credit Union. This is not strictly necessary, however, it is a measure that is likely to provide additional clarity and confirm that any instruction is part of a contract (membership agreement) rather than consent. This will reduce the likelihood of an action against the Credit Union.
Breaches – When should a Credit Union report
Breaches are one of the critical events most feared by any organisation. Where the personal data involved includes financial data it can become an emotive issue for Members and result in regulatory intervention. There are specific processes and actions that will minimise exposure and we summarise them below
Understanding the process & high level actions
This is a well understood process, however there is often a nervousness when individuals need to apply it in practice. You can find a fully documented breach process here. The three basic steps (in this order) are to;
- Take action to minimise/correct exposure or risk to the Subject.
- Assess the risk to understand if the DPC or Subjects need to be informed.
- Document the actions taken.
A breach related to the loss of control over personal data only, and needs to be reported when it poses a risk to the rights and freedoms of the Subjects. A breach can include
- A cyber breach.
- Accidentally providing the personal data of one member to another.
- The loss of a laptop, mobile phone or other device containing personal data.
- Sending an e-mail to the wrong person.
- Using data for an unlawful purpose. This is often non-intentional, however is a breach. e.g. cctv, excessive voice recording, the use of proof of identity or other contact details for a purpose other than for what it was obtained for.
The most effective way to prevent or these incidents is through the implementation of good process and staff training.
How to manage breaches with ease
The main reasons why breaches cause real stress to a business are because of their infrequent occurrence and the treat of having to report to the regulator. We would suggest the following actions to most organisations to ensure that they are confident in their steps to react to a breach;
- Have an individual (not necessarily a DPO) appointed to be knowledgeable of the process and to take ownership.
- Have all staff trained to react immediately and to report internally. There is a 72 hour timeline on reporting obligations.
- Know when to report. Have a simple risk analysis prepared in advance. Reporting is normally advisable except where the data is encrypted or has been transferred to a trusted party. note; Reporting a breach is normally advisable and there is no penalty if the breach is withdrawn or reclassified at a later stage. The Data Protection Commission DPC currently encourages reporting.
- Be aware that the DPC is focused on delivering good outcomes, and provide advice to you if need be. They are good to engage with not likely to impose punitive conditions upon a CU unless they are warranted.
- Know when you need help. These may include;
- IT support.
- Professional advice relating to reporting obligations.
- Risk mitigation actions.
- Train staff; Training to create a culture of data protection is the one of the most effective ways to avoid and to react to breaches.
We do not wish to underplay the significance of a data breach, simply to emphasise that good preparation and a cool head in the event of a breach are likely to protect the Credit Union from reputational or regulatory harm.
Subject Access Requests – The key elements for ‘street wise’ management of Access Requests
Many Access Requests are as a result of grievances by members or by staff and these events are often a key indicator of another underlying issue or a possible legal action. There are 5 clear actions that every CU needs to implement to assure good process and ensure that it avoids some of the hurdles that could result in litigation of regulatory actions.
There are many standard parts of the legislation relating to Subject Access Requests(SAR) that are commonly understood within the CU community like the 30 day timeline, the exceptions to the requirement to disclose, and how to respond to Subjects legitimately. We provide a complete process document here for free. This paper focuses on how to remain ‘street wise’ while managing Subject Access Requests.
The 5 key ‘street wise’ elements to avoid unintentional harm to the CU are;
Recognise a request
Valid and legitimate requests may be served electronically, on paper or by word of mouth. Particular attention needs to be taken to;
- Recognise a request. GDPR has enabled SARs to be served orally and all members of staff need to be aware that if a member requests access to their personal data that this has a legal implication. Where a member of staff is not certain if they have been served with a SAR it is essential that the data protection representative is informed and can decide on a course of action.
- Recognise if this is a request for ‘information’ of for ‘access’. There are separate requirements in law for each of these situations and a false interpretation of the request could expose the CU to unnecessarily effort or to liabilities.
De-escalate a request at an early point
Our experience is that Controllers often assume that a request is for full disclosure of information. We typically recommend that the CU communicates with the Subject at an early stage and ask the Subject what they are looking for. This will typically reduce the amount of data required and provide an opportunity to understand the context of the SAR. This simple action will often de-escalate a situation and enable the CU to address the core motivation behind the request.
The importance of Identity
Having identified a request, this is perhaps the most important action to avoid a reputation-damaging breach. Personal Data must be requested and released to the Subject only, and if the request is made by a third party representing the Subject, this must be verified explicitly. Be thorough. If the CU fails on this count and solicitors become involved at a later stage it will cause real harm.
Many organisations accept the bona fide of a request from a solicitor on a subject’s behalf, and the regulator has indicated likewise, however it is prudent to always seek validation.
Additionally, scammers have been known to go to some length to impersonate a Subject to access data. If the CU falls for this trap and releases personal data, this will be a data Breach. A scam of this nature is normally with a view to extortion, and the mere association with this type of activity can cause severe reputational damage to a CU.
Follow a documented process
All elements of the SAR process need to be administered effectively. A well written process will guide the CU and demonstrate data protection preparedness to the regulator in the event of regulatory action. A full SAR process document is available free here from First Compliance.
It is also sensible to have a well constructed Privacy Notice that fulfils many of the other requirements relating to notifications to a Subject in the event of a SAR. This will avoid an inadvertent failure to comply with the specific requirements of a SAR response as detailed in law.
Understand what has to be disclosed
The CU has an obligation to store personal data in a lawful manner and that includes both the capacity to keep it safe and to organise personal data in a manner that enables access or deletion in a manner that is consistent with it’s purpose. Many CUs also have historical systems (often on paper of microfiche) that cause further difficulty. These formats need to be catalogued.
In any event, the CU needs to make reasonable effort to retrieve such data and to be aware of the exceptions to disclosure. There are any exceptions to disclosure and perhaps the most discussed (nominations aside) is the release of data relating to employees in the course of their work. Precedent has been set in the French and Irish courts that suggests that an organisation does not need to release data that is exclusively related to the fulfilment of a work function unless it is in some manner personal to the Subject.
Particular care also needs to be take not to release third party personal data. We recommend a thorough review of data to be released, typically by a person who is not the person that has compiled the data, to redact all third party data. This simple action inevitably results in a safer process.
Similar information relating to Access Requests by State Authorities (Garda, CAB and etc.) can be seen here.
State Authority (Garda, CAB and etc.) Access Requests – How to avoid embarrassment in court
State Authority Access Requests SAAR are a relatively common occurrence for Credit Unions, with a request for cctv footage being the most common. This is typically on foot of investigation of a potentially illegal act and the information that you provide is evidence. If this case goes to court you will be called to validate that this data was obtained legitimately by you and by the authorities.
It is important to stick to a formal SAAR process and never to take a shortcut. Acknowledging that you took that shortcut is likely to the event that causes real embarrassment in court. In the event of key information having been obtained unlawfully it will destabilise a case and in many instances cause a judge halt the proceedings. This may subsequently result in the CU being paused for an unlawful release of personal data.
The key elements of the good management of State Authority Access Requests are;
- State authorities can ONLY request data on the basis of a law. Make sure that this is quoted and recorded by the CU before any release
- Always be mindful that this could end in court with you as a witness. Solicitors will always examine the legality of the obtaining of key data. This has the potential for a judge to dismiss a case.
- Be prepared and follow the process tightly. A full SAAR process document is available here at no cost from First Compliance.
- Document the request and the formal identity of those making the request. A template report is included in the documentation form First Compliance.
- Unless it is an emergency, taking time to get the process and information right is time well spent. In this environment information that takes time but is accurate is infinitely more valuable than information that is fast but potentially compromised
- Apply a good measure of common sense. It is never the intention of a Credit Union to frustrate authorities, simply to make sure that process is not compromised.
These simple actions will help the CU to avoid a potentially embarrassing release of data and enable you to manage these events with confidence.
How to keep it simple
Data Protection regulation is often implemented in Credit Unions in a manner that could be considered over engineered. While in many aspects this is necessary, particularly because of the nature of the business of a Credit Union, GDPR provides for many aspects of compliance to be proportionate to the scale and nature of the Controller. This enables CUs to make risk based decisions relating to implementation. We are examining operational risk in this context.
Credit Unions a needs to take a ‘call’ on may items that require judgement. These items are considered in good faith in the interest of both the Members and the CU, however may be open to regulatory challenge. Issues that may require a judgement call include;
- the acceptance of ID from a person who may not have a passport or driving license,
- managing vulnerable persons in the context of the Assisted Decision Making Acts,
- live monitoring of cctv in certain circumstances
- the obtaining of and access to Nomination data or,
- the retention of withdrawn loans information.
The Credit Union needs to document the rationale and considerations that lead to these decisions and demonstrate that risks to the rights and freedoms of the Subjects were considered. We recommend the maintenance of an Operation Risk Record ORR that documents each of these decisions and delivers
- A description of the issue
- The decision taken
- The safeguards put in place to protect the Subjects,
- The effect of not taking this decision
- A risk analysis of the impact on the Member and the CU
This enables the CU to make reasoned decisions relating to the delivery of service and demonstrate a structured process to manage operational risk.
Once implemented, this process is easy to maintain, enables the CU to systematically manage data protection related operational risks, and to defend it’s position in the event of an action by the regulator.
How to protect your Credit Union against risks relating to GDPR
Data protection regulation can be seen by many Credit Unions as another piece of legislation that puts more obligations on the organisation, however, many have not taken simple steps to minimise the risks from GDPR. This piece explores how to simplify your processes and to reduce exposure to GDPR related risk.
A risk based approach to GDPR
Managing data protection obligations has come into clearer focus over the last few years due to the additional regulatory requirements imposed by the GDPR. There is a very real threat of this legislation becoming a divisive tool in the event of legal action against the CU. There are three distinct categories of activity that any CU should consider to evaluate their level of data protection maturity;
- Gap analysis to identify exposures
- A plan of action to understand the risks and close vulnerabilities
- A clear and simple ‘monitoring, reporting and reaction’ plan for ongoing management and oversight
This may sound simple, and these activities may overlap, however, segmenting your approach in this manner brings real clarity and enables you to impose structure on those engaged to manage these obligations for the CU. These steps will enable a risk based approach and position the organisation to embed a culture of data protection. They will also minimise the effort required to remain compliant.
Where the risks from GDPR will come from
The risk of liability will typically come from members of staff, your members, your suppliers, or from criminality.
Employees/Volunteers and GDPR
There are many issues to consider in relation to staff. These are the three likely to help you to significantly reduce risk;
- Employee handbook; have a well written data protection terms in your employee handbook. Remember to cover the use of e-mail, social media, use of ‘work based’ personal data in the event of an Access Request and the personal responsibility of an officer in a regulated industry.
- Electronic surveillance; this is the most likely activity for a solicitor to focus on in the event of conflict. Significant awards have been paid out for infringements relating to the monitoring of staff in the workplace. If you use cctv and voice recording you need to ensure this data is used lawfully. Reliance on data used unlawfully can jeopardise a case and an opposing lawyer will know this. Caution is advisable.
- Training; provide your staff with appropriate ‘street wise’ GDPR training and they are less likely to inadvertently cause you a liability.
Customers/Suppliers and GDPR
Where a customer or supplier owes you money, has a complaint or is exposed to a liability themselves and they seek legal advice, they are likely to use any GDPR infringements by you to their benefit. The top actions to protect yourself from claims are to;
- Have a well written data protection clause in contracts with customers and suppliers.
- When provided with customer/supplier 3rd party personal data (their employees & etc) ensure that they warrant that that data has been obtained lawfully.
- Cater for the transfer of debt and use of sub-contractors.
Malicious Attack/Hackers and GDPR
This is becoming an increasingly relevant concern to all organisations as people are becoming more aware to the value of personal data. Ill-doers know how easy it is to sell personal data on the dark web and that controllers will often pay to retrieve their valuable data (rather than it to be made public). Recommendations for preventing malicious attack are;
- Keeping paper documents secure, particularly the personal data of members. Data theft isn’t necessarily digital.
- Knowing where your digital data is processed and how it is used. Many CUs do not know where their data is, often on e-mails or on managed services and do not have a full picture of how that data is processed. A simple data flow map that is easily understood by management can be very informative and a practical solution. The CEO and senior management need to know this, not just the IT person.
- Good housekeeping; Keep anti-virus and firewall software up to date and systematically examine access logs to your IT systems and secure locations.
- Most staff have a positive approach to data security when their responsibilities and obligations are explained in a clear manner and without the legal mumble-jumble.
Managing business risks relating to GDPR
Be aware of false positives
Many Credit Unions have documentation or processes in place to manage GDPR obligations that are high on good intent. However, often miss key elements that;
- A claimant’s solicitor will focus upon in the event of a claim
- Are designed to protect the organisation form harm
- Can be implemented in practice in the context of a Credit Union
Top offenders are often the IT department or a legal person with a surface level knowledge of the relevant legislation. A data protection maturity analysis in the context of your current preparedness for a GDPR related claim may close many gaps and minimise your exposure to risk.
Keeping your Credit Union GDPR compliant
The basics are simple
- Know your purpose and basis for processing personal data
- Have the basic data protection policies in place
- Inform subjects of their rights (a mature privacy notice is essential)
- Have an ‘Access Request’ and ‘Breach’ process in place
- Keep personal data secure
These are the basics that a representative will require to protect you in the event of GDPR being used in a claim against you.
You can find the FREE First Compliance ‘Access Request’ and ‘Breach’ processes documents here.
Is a Credit Union obliged to appoint a DPO and are there alternatives?
There is no clear obligation on Credit Unions to appoint a Data Protection Officer (DPO). Here we provide a concise explanation of the law, the considerations, risks and observations. With the recent circular by the Data Protection Commission DPC to many Credit Unions, this has become a topical issue and we hope to bring clarity to the consideration of this role.
1.1. The requirement to appoint a DPO is defined by Article 37 of the GDPR and summarised here by the Irish DPC;
“An organisation is required to appoint a designated data protection officer where:
- the processing is carried out by a public authority or body;
- the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.”
1.2 The position of a DPO has a statutory position with legal requirements and responsibilities.
1.3 It is unlikely that the activities of an Irish CU could be considered to meet any of these three requirements consequently any appointment of a DPO will be voluntary.
Considerations for Credit Unions
2.1 There was an early rush to appoint DPOs across the sector and it has become normalised for many. This appears to have been encouraged by the ILCU.
2.2 There has been a general misconception across many CU’s that the person who ‘owns’ data protection within the CU has to be a DPO. When we explore what the boards actually want a Data Protection Representative DPR is often sufficient. The term DPO should not be loosely used for this role.
A DPO is a statutory role that has many powers mandated by law (see 3.2 below), and is designed to be part of a large enterprise (e.g government department, health service, or other significant organisation). A DPR is the person who ‘owns’ data protection and operates under the direction of management without the constraints mandated for a DPO.
2.3 There are times when it is appropriate for a Credit Union to appoint a DPO and if it is the opinion of the board to make an appointment, this is perfectly legitimate route. Additionally, it is always advisable to carefully consider guidance relating to the appointment of a DPO issued by a regulatory oversight body with authority your CU. A DPO must register with the DPC, and where there is no legal obligation to retain a DPO, may deregister.
2.4 Some Credit Unions have grown significantly in scale and have aspirations to grow more. There will come a point where (on a European wide scale) they could be considered large scale and will require a DPO.
2.5 It is advisable for a Credit Union to guard against over engineering this role. This is not to suggest that the CU does not take its obligation seriously, however, If unchecked an individual can evolve this role to become something that was not intended by the legislation and is not required by the regulators.
3.1 The costs associated with a standalone DPO can be significant
3.2 The role of a DPO has statutory powers. Where a Controller appoints a DPO the DP Act 2018 (Article 88.4(c) and (d)) states;
“The controller shall;
– ensure that the data protection officer –
(ii) does not receive any instruction regarding the exercise of such functions
– support the data protection officer … including by –
(i) providing him or her with the resource that he or she requires to perform those functions,
(ii) ensuring that he or she has access to processing operations carried out by the controller”
In reality, this level of legal protection for the role of a DPO makes it unlawful for a CEO or board to define the activities of a DPO and can make it difficult to remove a DPO if need be. This can pose a significant risk to the CU.
3.3 The appointment of an external contracted DPO can mitigate against the risk of the powers detailed above being exercised excessively by an employee. However, these powers are not diminished due to the fact that a DPO is external and the significance of this legislation in this context has yet to be tested in the courts.
The appointment of a DPO at a Credit Union is currently a voluntary act. Where the Credit Union has a strategic objective or other reasons to decide to appoint a DPO, it should be done in the clear understanding of the statutory nature of this role.
Where a Credit Union does not wish to appoint a DPO, an arrangement that includes an internal Data Protection Representative that ‘owns’ responsibility for data protection, with the support of an independent qualified expert can deliver an appropriate level of oversight.
Please feel free to contact us at any time if you would like to discuss this further.
Reducing Cost of Managing your Data Protection Obligations
The cost of managing regulatory obligations is often overplayed and in the case of data protection, the deliverables do not always protect the Credit Union (CU) to the degree that that they should. The processes to minimise relating to Data Protection regulation for Credit Unions is in the main a set piece and the ongoing maintenance of standards should not be cumbersome, however, this is not the full story. The risk of liabilities is most likely to come from a small number of items and in our experience these are not well managed in the CU environment.
That said, the greatest exposure to unnecessary costs often comes from ‘false positives’; believing that a Credit Union has good processes in place where in reality there is room for improvement.
Many Credit Unions have overly complex processes in place with elements of duplication and they should really focus on the basics that will guard against risk. These typically include the management of loans documentation, CCTV and voice recording, nominations, staff contracts, the monitoring of staff at work, the culture of redaction and the management of identity data. Additionally, a well written and concise Access Request and Breach processes are an essential element of any Credit Union’s preparedness. Sadly, what we see in practice is often lacking in substance. You can find free process documents here
The ongoing requirement should be embedded in the normal working of the Credit Union and the effort to maintain this should be minimal. Costs should primarily relate to training, oversight and the capacity to manage events. These should use simple and well documented processes and not be cumbersome for a Credit Union.
If you currently uses a legal or accounting firm to manage these responsibilities it is (in our experience) quite possible that they have not implemented effective process change to minimise exposure to risk and the corresponding reporting process. First Compliance provide an informed services that is focused on the avoidance of risk to a Credit Union and it is typically less expensive than the traditional provider and delivers exactly what a Credit Union needs.
How Expert Advice Reduces Risk Related to Data Protection
Expert support for Credit Unions should fall into two distinct categories;
- Process update – the update of policies, processes, notifications and training to reduce the exposure to harm from data protection regulation.
- Professional support – seasoned professional support to guide and advise the compliance officer (or Data Protection representative) to remain compliant and act in a manner that avoids risk. This includes systematic review, mentoring, training and hands on support in the event of an event.
Engaging experts with Credit Union and broader industry experience can shortcut the processes, remove many areas of uncertainty, identify the risks and ultimately save you time and money.
First Compliance have a real depth of knowledge in the Credit Union sector and can reduce your exposure to risk related to GDPR. Call us on 087 7787606 or reply to this mail for an initial confidential conversation.