WASHINGTON—Credit unions in the U.S. continue to sort through the implications of the new General Data Protection Regulation (GDPR) from the European Union.
Several U.S.-based companies, including news organizations have announced they’ve blocked access to their websites from Europe until they are certain they are in compliance with the rules around privacy.
The regulations potentially apply to American entities that process the personal data of EU residents when offering them goods and services. The term “offering” is determined on a case-by-case basis, noted CUNA in its analysis during a webinar.
Updating CUs during the webinar were Lance Noggle, CUNA senior director of advocacy for payments and cybersecurity; Andy Price, World Council's regulatory counsel, and Hal Scoggins of Farleigh, Wada and Witt.
It was made clear during the webinar that the new rules purport to apply to companies anywhere in the world with customers or members living in the EU.
“While there is no express civil enforcement mechanism in the GDPR itself, international law will govern the enforcement of any civil penalty. The Federal Trade Commission indicated in the adequacy determination that it will use Unfair and Deceptive Practices to enforce penalties, but there is no rule expressly mandating compliance with the GDPR. Therefore, how, if at all, these provisions will be enforced against U.S. credit unions will be determined over time,” CUNA explained.
Key Requirements
According to CUNA, key compliance requirements under the GDPR include:
- Business accountability measures that include data protections officers, record maintenance requirements, privacy impact assessments, privacy by design and default for all data collection systems, privacy policies, controller and processor responsibilities, restrictions on transfers to third countries, proof of compliance and mandatory appointment of a data protection officer in certain circumstances
- Requiring notification of a data breach to a supervisory authority within 72 hours (subject to conditions) and notification to affected data subjects without undue delay (with certain exceptions)
- Demonstration of consent in a clear, intelligible manner, with the right to withdraw consent by the data consent. Existing consents may not be valid
- Defined consumer rights that include disclosure of data collection, right to access to records and purpose of data collection, right to restrict processing, right to recertification and erasure, right to data portability, right to lodge a complaint, right to legal remedies, right to object to profiling and penalties for violations