EU General Data Protection Regulation

Implemented in May 2018, the European Union’s General Data Protection Regulation provides EU citizens and other natural persons in the EU with more control over their personal data by strengthening their existing rights and providing new rights.

The EU GDPR is not within the regulatory scope of NCUA examinations, because it is not a U.S. law. The following information is provided for information purposes only. Credit unions should discuss their potential GDPR compliance needs and the associated risk with their legal and business counsel, as appropriate.

Individuals covered by the GDPR have the following rights:

  • Easier access to their personal data
  • Data portability, making it easier to transmit personal data between service providers
  • Clearer right to erasure (“right to be forgotten”), and
  • The right to be notified when a breach that results in a high risk to their personal data occurs

In addition to its consumer protection focus, the GDPR creates business opportunities and stimulates innovation by:

  • Establishing a single set of EU-wide rules for data protection
  • Requiring the creation of a Data Protection Officer role in public authorities and businesses that process data on a large scale
  • Ensuring businesses deal with a single supervisory authority (in the EU country in which they are mainly based) on cross-border processing matters
  • Requiring non-EU companies to apply the same rules when offering services or goods to, or monitoring behavior of, individuals within the EU
  • Ensuring data protection safeguards are built into products and services from the earliest stage of development
  • Requiring privacy-friendly practices (for example, de-identifying sensitive data by replacing it with one or more artificial identifiers, and data encryption)
  • Requiring impact assessments when data processing may result in high risk for the rights of individuals, and
  • Requiring recordkeeping of processing activities (while organizations that employ 250 people or more must record their processing activities, those that employ fewer than 250people are not required to do so unless the processing is regular or likely to result in a risk to the right of the person whose data is being processed)

For more information about the GDPR, visit the European Commission’s official Data Protection in the EU website.

Last updated August 10, 2018