August 09, 2018

NAFCU Compliance Monitor outlines EU's data protection rule

Compliance MonitorThe substantive requirements of the European Union's General Data Protection Regulation (GDPR), how they differ from existing U.S. mandates and what credit unions are doing about it are outlined in the latest edition of the NAFCU Compliance Monitor.

The Monitor, sent to members yesterday and now available for download, also includes the Compliance Forum, which houses questions and answers on provisions within Regulation Z, selling gift cards to nonmembers and defining delinquency, among other topics.

NAFCU Senior Regulatory Compliance Counsel Elizabeth Young LaBerge along with Tan Su, the association's regulatory intern, note in the detailed article on the GDPR that while some credit unions have determined they should comply with the regulation, others are still weighing the costs.

"Unfortunately, there are no easy answers when it comes to determining whether a credit union falls within the scope of the rule or may be subject to enforcement of the law by a foreign government," the article states. "Understanding a credit union's exposure in this area requires a fact-based analysis of its members, operations, products and services, and vendors, likely with the assistance of qualified counsel."

LaBerge and Su explain privacy law in the U.S. and in the European Union. The article also gives GDPR definitions; data protection principals, including the handling of sensitive data; and how to handle and report data breaches.

"A credit union moving towards compliance will need to carefully consider what data it collects and why, how to document its purposes within the context of the GDPR, how to provide disclosures that are compliant under both U.S. and EU law, how to establish and implement procedures to give effect to the rights of data subjects, and whether its contractual environment and relationship with vendors provides the credit union with the assurances it may need," the article concludes.

Additional information on the European Union's GDPR is available through the NAFCU Compliance Blog, webinars and other articles.