Happy Birthday GDPR!
in Compliance & Regulatory
By: Nicola Foggie, NJCUL Senior Vice President, Compliance and Regulatory Affairs

Last month, the European Union’s new General Data Protection Regulation (GDPR) turned one-year old.  The GDPR applies to all businesses that process data on individuals in the EU and has an impact on multinational companies that handle transactions around the world. But what’s the potential impact on U.S. credit unions with members in the EU? The World Council of Credit Unions (WOCCU) issued a guide in 2018 to try to answer this question, as well as provide some background on the GDPR standards for credit unions. Recently, lawmakers have started taking more action regulating businesses with control over the Personal Identifiable Information (PII) of their customers (members). The two most notable laws pertaining to this are GDPR and the California Consumer Privacy Act (CCPA), the latter signed into law June 2018.

The GDPR replaced the 1995 EU Data Protection Directive, which generally did not regulate businesses based outside of the EU. However, this law is different. It is intended to place stricter laws on businesses, so they cannot have free reign over the use and distribution of EU citizen data. In addition, the GDPR is enhanced as it relates to potentially any business, not just within the boundaries of the EU. The need for GDPR compliance depends almost entirely on the company’s marketing efforts. If the company actively pursues/monitors EU citizens to better track and collect useful PII for their business, then the GDPR will likely apply to them.

Why is understanding the GDPR important? It’s important to know because these types of laws and regulations will continue to grow in prevalence. Thus, companies may need to change their strategies, especially regarding the creation and overall strengthening of data security (IT) teams. Understanding the European law is also important because there is some overlap between this and the newly composed CCPA which will directly impact the state of California. In short, both laws require individuals’ consent before businesses collect and start using that consumer-specific data. Subsequently, businesses are then required to disclose how they collected that data and what it will be used for. Failure to comply results in very predictable consequences, very heavy penalty fees.

 This information should not be construed as legal advice. Please consult with your legal counsel if you believe your credit union may be impacted by these requirements.