What Your Credit Union Needs To Know About The GDPR And Why It Needs To Know It

March 23, 2018 at 9:55 am 2 comments

One of the toughest questions I’ve dealt with since I’ve been with the Association is this seemingly straight forward one: Does my credit union have to comply with the GDPR and if so, what can we do? Impacted companies must be in compliance by May 18th. Keeping in mind that the opinions that I express belong to me alone and are not intended as a substitute for legal advice from a lawyer of your choosing, the purpose of this blog is to give you some further thoughts on the subject as well as to explain why I think the Facebook fiasco will ultimately make the GDPR more relevant to all of us. I apologize for its length but there’s no way to boil this down to a few paragraphs.

What is the GDPR? The General Data Protection Regulations (GDPR) are landmark requirements promulgated by the European Union, designed to give consumers firm control of their electronic data and give the European Union enhanced authority to impose these requirements beyond its borders. Violators face potentially severe penalties.

Why is the GDPR such a big deal? On a policy level it represents a totally different conception of the use and monetization of electronic information than has developed in this country. The US has allowed e-commerce to develop organically. The implicit premise has been that, in return for allowing companies like Facebook to easily access our information, consumers receive an enhanced e-commerce experience. In fact, this has happened.

Conversely, the GDPR represents a conception of personal information as the property of the consumer, control over which the consumer never completely surrenders. Under the European approach, at least in theory, members would know that their personal data was sent to Cambridge Analytica and could simply withdraw their consent for the company to use it.

How do the regulations accomplish this goal? By mandating that consumers affirmatively opt in to providing consent before giving away their personal information AND by mandating that companies be able to both transfer information to another company at a consumer’s request as well as remove a person’s electronic footprint. These rights are known as the “right to be forgotten” and the “right to portability.”

Does the GDPR apply to my credit union? This is the part of my blog that’s going to drive people nuts. On paper the answer is yes. As I explained in a previous post, Article 3, paragraph 1 of the Regulation stipulates that it applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” So on paper the regulation extends to any institution processing and holding data belonging to a citizen of an EU country, regardless of where that consumer happens to be located. For instance, I talked to a downstate credit union that was surprised to find out it had more than a hundred accounts belonging to members who lived in the EU.

Why is this such a big deal? After all, some form of these mandates have already been in effect in Europe. For one thing, this is the first time Europe is trying to impose these mandates outside of its borders. In addition, I’ve read and been told by IT people that, without a serious investment of time and money, these nice sounding mandates are difficult to achieve. They require companies to have the ability to effectively disaggregate data even as more and more of it is being aggregated into the big data hodgepodge. After all, the more information Cambridge Analytica has about Facebook users, the more it can confirm correlations between the type of car they drive, the coffee they drink and their views on gun controls. (I made this example up, but this is exactly the type of research that’s being done).

Can I be sued for not complying with the GDPR? The more I look at the issue, the more I think that the GDPR is likely to become increasingly relevant to your credit union’s compliance efforts, not because of formal action taken against individual companies by the European Union but because courts in this country, rightly or wrongly, recognize the GDPR as the base line standard of care when it comes to protecting a person’s private electronic data. This could happen in one of two ways. First, the GDPR includes a private right of action for consumers who feel their rights under the regulations have been violated.

Secondly, appellate courts may, over time, accept the argument that in an interconnected world, where everything from an individual’s playlist to what they buy when they go shopping could very well be stored on a server in Ireland, it is reasonable to expect companies to recognize the GDPR as the standard of care to which they should be holding themselves.

And let’s keep in mind as legislators seek to react to Facebook and Cambridge Analytica, the GDPR represents a model upon which to create their own system of mandates.

How concerned should my credit union be? Again, this is my opinion, but let’s be a little practical. Regardless of what the EU claims, its ability and desire to impose fines on a credit union that has no physical presence in Europe or does not even advertise its services to Europe is highly questionable. Furthermore, the intent behind the regulation is to put large multi nationals on notice that, to the extent they do business in Europe, then they have to abide by the GDPR. On a practical level, given everything your credit union has to do, investing time and money to comply with the GDPR should be at the bottom of the list unless you actively interact with the European Union.

What’s the bottom line? Unless you are a very unique credit union, I wouldn’t panic about the approaching deadline but I would consider putting a GDPR policy in place since some of what the regulation requires includes measures that your credit union is already taking such as data breach notification protocols. In the medium to longer term, credit unions should be mindful of the GDPR and begin to think of ways that they could comply with its overarching mandates, if not its specific requirements.

The recent Facebook fiasco has finally made people realize that their private information is worth protecting and they’re going to demand that GDPR type restrictions be placed on all companies in financial institutions regardless of where they are located.

Entry filed under: Compliance, Legal Watch, Regulatory. Tags: .

Three Things You Need To Know About Today Overdrafts Continue To Trip Up Financial Institutions

2 Comments Add your own

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 772 other followers


%d bloggers like this: