ARLINGTON, Va.–Both “misinformation and myths” surround the European Union's new General Data Protection Regulation (GDPR), according to NAFCU, which says the new rule can affect credit unions in the U.S.
NAFCU Senior Regulatory Compliance Counsel Elizabeth Young LaBerge said that the GDPR does not specify its application to EU citizens or residents – pointing out that the words "citizen" and "resident" do not appear in the rule at all.
"According to the GDPR itself, it does not apply to European Union citizens or residents, it applies to any identifiable, natural person who is physically in the European Union, regardless of their nationality or residence," she explained.
LaBerge also addressed the GDPR applicability to organizations. She notes that for credit unions based entirely in the U.S., this area deserves a closer look. According the rule, LaBerge said that "merely having a member or customer in the EU is not, by itself, enough to pull a credit union into the scope of the regulation." For an organization to be in the scope of the rule, it must be processing data in connection with: the offering of goods or services, or the monitoring of their behavior that takes place within the EU, she said.
"It is critical to understand that a credit union's tools and activities play a key role in determining whether it falls into the GDPR's scope as it is set out by the rule," LaBerge said. "This gives credit unions the power to speak with their vendors and IT staff to determine whether limitations on those tools and activities can be put in place so that the credit union will not fall into the GDPR scope as it is written by the EU. But what the rule says on paper is only a piece of this analysis."