Newsroom

Misinformation and myths in circulation regarding the European Union's new General Data Protection Regulation (GDPR) are explained in a recent NAFCU Compliance Blog post.

NAFCU Senior Regulatory Compliance Counsel Elizabeth Young LaBerge begins the post by noting that the GDPR does not specify its application to EU citizens or residents – pointing out that the words "citizen" and "resident" do not appear in the rule at all.

"According to the GDPR itself, it does not apply to European Union citizens or residents, it applies to any identifiable, natural person who is physically in the European Union, regardless of their nationality or residence," she writes.

LaBerge also addresses the GDPR applicability to organizations. She notes that for credit unions based entirely in the U.S., this area deserves a closer look. According the rule, LaBerge writes that "merely having a member or customer in the EU is not, by itself, enough to pull a credit union into the scope of the regulation." For an organization to be in the scope of the rule, it must be processing data in connection with: the offering of goods or services, or the monitoring of their behavior that takes place within the EU. She explains both these components in detail.

"It is critical to understand that a credit union's tools and activities play a key role in determining whether it falls into the GDPR's scope as it is set out by the rule," LaBerge writes. "This gives credit unions the power to speak with their vendors and IT staff to determine whether limitations on those tools and activities can be put in place so that the credit union will not fall into the GDPR scope as it is written by the EU. But what the rule says on paper is only a piece of this analysis."

A follow-up blog post will talk about the possible need for risk assessments surrounding the GDPR.