GDPR: Key Steps for credit unions

(Updated 03/06/25)

Introduction

The General Data Protection Regulation (GDPR) was adopted on 27 April 2016 and has been enforced in the UK since 25 May 2018.  The UK has retained the GDPR (now UK GDPR) following the UK’s exit from the European Union.

This guidance is not comprehensive but rather highlights 5 key areas credit unions should start to consider when seeking to comply with GDPR. We also have other guides covering areas such as marketing compliance, the data audit and privacy statements in more depth.

If you have any questions or comments on this information guide please contact your Member Relationship Manager by emailing them direct, on info@abcul.org or by dialling 0161 832 3694.

Key Terms

Data controllers – A data controller decides how and why personal data is collected, processed and dispersed. Credit unions are data controllers for their members’ and staff data.

Data processors – A data processor processes data on a data controller’s behalf. Credit unions will often outsource activities to mailing solution companies or data storage providers who are data processors.

Data subjects – A data subject is an individual who is the subject of personal data, who are generally members and staff of the credit union. Data subjects have certain rights under GDPR.

Personal data – Personal data is data which both relates to and can lead to the identification of an individual.

Special categories of personal data – personal data which is sensitive data is such as:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs,
• Trade union membership
• Data concerning health
• Data concerning sex life and sexual orientation
• Genetic; and
• Biometric data (includes finger prints, eye and voice recognition)

Data Protection and Credit Unions

As with the Data Protection Act 1998, the General Data Protection Regulation (GDPR) applies to credit unions as controllers of personal data i.e. credit unions decide how and why data is collected from members and its own staff.

Credit unions are responsible for their own compliance with the GDPR, and are jointly responsible for the compliance of any data processing which is outsourced by the credit union, such as  mailing solutions companies, IT solution providers, marketing solutions etc.

Key steps for complying with GDPR

Step 1: Pay your data protection fee

Since 25 May 2018 credit unions are no longer required to notify the ICO of their processing activities. However, the ICO will still need to raise funding for their data protection activities since it does not retain the financial penalties from it’s enforcement action.

• Pay through the website
• You must renew this each year

Data protection fees

*Fees increased by 29.8% on 17 February 2025*

The  annual fee is set at three different levels:

• Micro organisations – Credit unions with a turnover of less than £632,000 or no more than 10 members of staff will pay £52
• Small and Medium Organisations – Credit unions with less than £36 million turnover or no more than 250 members of staff will pay £78
• Large Organisations – Those who do not fit in the above categories will pay £3,763

For more information, see the ICO’s guidance around the new data protection fee here.

Step 2: Determine whether or not you require a Data Protection Officer

A Data Protection Officer (DPO) is responsible for monitoring and advising firms on GDPR compliance. This person can be a member of staff, or could be external and shared between different firms. The DPO is required to have certain professional qualities and a certain level of independence and resource in order to perform the role.

Credit unions must appoint a DPO if their core activities require:

1. Regular and systemic monitoring of individuals on a large scale; or
2. Processing on a large scale of special categories of data or personal data relating to criminal convictions or offences

Core activities – These are activities which are an inextricable part of an organisation’s goals. This excludes processing of its staff information (which is highly likely to include sensitive categories of data) and other processing which is ancillary to the core activities of an organisation.

Regular and systemic monitoring – Credit unions would likely be considered to carry out regular and systemic monitoring of their members through one of: anti-money laundering procedures, credit scoring, credit profiling, targeted marketing and fraud prevention measures.

Special categories of data – Financial data is not considered to be sensitive by the GDPR, but if a credit union processes health related data for the purposes of offering insurance, this would be considered processing sensitive data.

Personal data relating to criminal convictions – The GDPR only allows the processing of criminal conviction data, only where expressly permitted by UK law regardless of whether the person has consented.

Large scale – The GDPR does not define what constitutes large scale processing and instead the EU Working Party 29 guidance suggests the following factors are considered when determining whether processing is large scale or not:

• The number of data subjects – either as a specific number or percentage of a population
• The volume of data and/or range of different data items being processed
• The duration or permanence of the data processing activity
• The geographical extent of the processing activity

Examples of large scale processing cited in the guidance:

• Processing of patient data in a hospital
• Processing of customer data in an insurance company or a bank
• Processing a personal data for behaviour advertising in by a search engine

Examples of processing that are not considered large scale:

• Processing of patient data by an individual physician
• Processing of personal data relating to criminal offences by an individual lawyer

The working party guidance acknowledges that there is a “large grey zone in between these extremes” i.e. the difference between the number of people an individual practitioner may serve and a relatively large organisation such as a hospital or bank.

Credit unions need to determine if they are required to have a DPO based on the guidance above, however, assigning a DPO will incur considerable costs for a credit union therefore credit unions may consider ceasing to process members’ special categories information (if applicable) and also consider whether their processing activities are small enough to not be considered large scale.

If a credit union decides it does not need a DPO it should record the justification behind its decision and review this decision periodically and when its data processing changes significantly e.g. begins to process more sensitive information such as health records.

Credit unions may appoint a DPO voluntarily, however, that person should meet the same standards as a DPO required by the GDPR. Persons who do not meet these requirements but otherwise perform data protection duties should not be given the job title of ‘Data Protection Officer

If you have decided that you are required to have a Data Protection Officer, please see the DPO requirements below.

In order to process data lawfully under GDPR, credit unions will need to establish and document a lawful basis before processing personal data.

Certain bases for processing will provide more or less rights to members, for example, if lawful basis used is the individual’s consent to process their data, they will generally have stronger rights, for example, to have their data deleted. However, where the lawful basis is a legal obligation e.g. credit unions must hold identification documents for at least 5 years after a member has left, there would be strong grounds to refuse to delete that data.

Lawful bases for processing:

A.   Consent of the data subject

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. Consent must be some form of clear affirmative action or a positive opt-in, consent cannot be inferred from silence, pre-ticked boxes or inactivity.

Consent must be separate from other terms & conditions and must not ‘bundled in’ with other written agreements or declarations. Data subjects need to be informed that they have the right to withdraw consent at any time, and provided a simple method for doing so. In addition to the right to be informed [below], credit unions need to specifically name any third party controllers (i.e. organisations that wish to use the data for their own purposes) that they intend to share they data with.

Key to reliance on consent for processing is that the collection and maintenance of consent is documented.

Refreshing consent

Organisations are not required to automatically refresh all existing consent; however, where individual’s consent is relied upon, it needs to meet the GDPR standard set out above. If it does not, organisations will need to seek fresh GDPR compliance consent or find an alternative basis to consent.

GDPR also introduces the concept of time-limited consent, which depends on the purpose for which the consent was obtained. For example, consent given to receive a series of marketing letters around Christmas would likely be expected to lapse after Christmas. If processing operations change or evolve considerable then the consent may no longer be valid and need to be refreshed.

There is no specific time limit in the GDPR for how long consent will last, but best practice may incorporate refreshing consent at appropriate intervals, whilst providing relevant information to help ensure that the member remains well informed about how their data is being used.

Where the lawful basis of processing is consent, members may withdraw this consent at any time therefore reliance on consent should be minimised.

Consent checklist 

• Freely given
• Specific and granular
• Informed
• Clear, affirmative, unambigious
• Unbundled
• Easy to withdraw
• Documented

ICO GDPR guide on consent

B.   Processing necessary for the performance of a contract with the data subject or to take steps to enter into a contract

This will cover all of the information necessary to deal with the member. However, processing may be deemed not necessary where irrelevant information obtained for membership such as, asking for political preferences, or where a type of processing is not deemed necessary e.g. sharing the data with third parties outside of the contract, or transferring data unnecessarily to a third country (a country outside of the EU).

ICO GDPR guidance on contract

C.   Processing is necessary for compliance with a legal obligation

This basis will support all the information processed for legal obligations such as:

• identity and verification information to comply with anti-money laundering legislation,
• tax jurisdiction information for compliance with international tax co-operation legislation
• membership details such as date of enrolment under the Co-operative and Community Benefit Societies Act 2014 (section 103, here)

ICO GDPR guidance on legal obligation

D.   Processing is necessary to protect the vital interests of a data subject or another person

This only applies to life and death situations so is generally not relevant to credit unions.

ICO GDPR guidance on vital interests 

E.    Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

This may apply to research using member data in the public interest.

ICO GDPR guidance on public task

F.    Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

You can rely on legitimate interests where you can show that the use of individual’s data is proportionate, has minimal privacy impact, and that people are not likely to be surprised or object.

Credit unions which rely on this basis should maintain a record of a Legitimate Interests Assessment (LIA) to demonstrate that they have considered the rights and freedoms of their members. The LIA is not mentioned explicitly in the GDPR and therefore is not a strict requirement. However the ICO recommends it’s use as part of your data auditing. There is an example template LIA available from the ICO website here.

Legitimate Interests Assessment:

1. Purpose test: are you pursuing a legitimate interest?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest?

One example where legitimate interests is likely to be used in a credit union is for the recovery of debts is outlined below.

Purpose test: The credit union has a clear interest to be able to recover debts, and process and share information to this end

Necessity test: Where credit unions have lost contact with a member it may be necessary to share information with a debt collection agency to pursue this interest.

Balancing test: Whilst clearly the individual’s interest would be to avoid paying the debt, the legitimate interests of the relevant parties are not required to be in harmony. Passing the individuals information to a debt collection agency would be ‘expected’ and could not be described as causing ‘unjustified harm’.

The specific example of using legitimate interests as the lawful basis for sharing data with a debt collector in order to pursue debts is used in the ICO’s 1998 Data Protection Act guidance here (now archived).

Where legitimate interests are relied upon, the member has a right to object [below] which can only be rejected where the credit union has compelling grounds to continue to process that data.

Direct marketing of credit union services would be considered legitimate interests, however, where members object to the processing of their data for marketing reasons this must be upheld by the credit union. See more information on direct marketing below.

ICO GDPR guidance on Legitimate Interests

Lawful bases for processing special categories of data

The lawful bases for processing sensitive special categories of data are more stringent than for ordinary processing. Generally credit unions do not process special categories of data defined as: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; data concerning health or sex life and sexual orientation; and genetic and biometric data.

However, where credit unions do have this data, for example, where they hold health related data pursuant to a contract; they are likely to rely on explicit consent (a). N.B. Cuna Mutual do not require health related information for the purposes of LP or LS insurance. 

a. Explicit consent of the data subject, unless reliance on consent is prohibited by EU or member state law

Explicit consent should cover the specific processing details; the type of information (or even the specific information); the purposes of the processing; and any special aspects that may affect the individual, such as any disclosures that may be made.

To qualify as explicit consent the individual’s consent should be absolutely clear and must be expressly confirmed in words rather than by another type of positive action. In practical terms, an individual filling out their contact details on a marketing form would likely constitute consent as it is a specific, informed and unambiguous act, however, this would fall short of explicit consent as it is implied from the individual’s actions. To provide explicit consent the individual would also need to expressly confirm consent in words e.g. by writing “I consent for you to record the above information”.

Draft EU Working Party 29 guidelines states that to remove all doubt the credit union could ask the member to sign the statement.

The other lawful bases for special categories of personal data is listed for completeness below[2].

ICO GDPR guidance on lawful bases for legitimate categories of data

Step 4: Put in place Members’ rights under GDPR

The GDPR strengthens certain rights from the Data Protection Act and provides new rights for members. These rights are:

1. The right to be informed 
2. The right of access
3. The right of rectification 
4. The right to erasure 
5. The right to restrict processing 
6. The right to data portability 
7. The right to object 
8. Rights related to automating decision-making and profiling

These rights described in more detail below.

The right to be informed

The GDPR sets out the information that you should supply to members at the time of obtaining their data, which is typically provided in the form a privacy notice. The information which should be included in the privacy notice is detailed in the table below, there are slightly different requirements depending on whether you obtained the information directly from the data subject or obtained from another source.

1 The recipients of the data should be expressly named if they will be relying on that consent to process data for their own purposes.

*One area credit unions may need to provide this information is for solely automated loan decision-making where there is no meaningful intervention by a human. Cornerstone’s ALD product does not fit this criteria.

Credit Reference Agencies

The credit reference agencies have developed a document detailing how they handle and share data which is useful for credit unions in providing information to members about how their credit data is processed. ABCUL has provided further information about this in our privacy information guidance here.

ICO guidance on right to be informed

The right of access (subject access requests)

Under GDPR members will have the right to obtain the following:

• Confirmation that their data is being processed
• Access to their personal data
• To be provided with supplemental information about the processing. This should already be contained within the privacy notice (described above)

Charging a fee

The £10 fee under the Data Protection Act will be scrapped and credit unions will need to provide members a copy of their information free of charge. However, credit unions may charge a reasonable fee (i.e. accounting for the costs of administration) for further copies of the same information.

Where requests are manifestly unfounded or excessive, particularly when these are repetitive requests, credit unions may:

• charge a reasonable fee (i.e. related to the costs of administration); or
• refuse to respond to the request

Where you refuse to respond to a request, you must explain why to the individual and inform them of their right to complain to the ICO and to a judicial remedy. This explanation should be made without undue delay and within one month at the latest.

Time limit

Credit unions need to comply with the subject access request without undue delay, and within one month. It is possible to extend the period of compliance by a further two months where requests are particularly complex or numerous, where this is the case, you must inform the individual within one month of receipt and explain the reason the extension is necessary.

How to provide the information

If the request is made electronically, then the information should be provided in a commonly used electronic format e.g. PDF.

Credit unions need to verify the identity of the person making the request using ‘reasonable means’ and may use their standard verification for account access.

An individual’s request for information should not adversely affect the rights and privacy of others.

GDPR also introduces a best practice recommendation, that where possible organisations should provide a secure, remote access, self-service system which provides individuals direct access to their data where possible.

ICO guidance on right of access

The right of rectification

Under GDPR individuals are entitled to have personal data rectified if it is inaccurate or incomplete. Where personal data has been disclosed to third parties then you must inform them of the rectification where possible. You should also inform the individual which third parties you have disclosed their data to where appropriate.

Time limit

Credit unions have one month to respond, which can be extended by two months where requests are particularly complex or numerous. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where the credit union decides not to take action in response to a request for rectification, it must explain why to the individual and inform them of their right to complain to the ICO and to a judicial remedy.

ICO guidance on right to rectification

The right to erasure

Also known as the ‘right to be forgotten’ the right of erasure enables individuals to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

This applies in the following circumstances:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
• When the individual withdraws consent, where the grounds of processing is based on consent
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
• The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
• The personal data has to be erased in order to comply with a legal obligation
• The personal data is processed in relation to the offer of information society services (online services) to a child

Exemptions (refusing the request)

Credit unions are able to refuse to comply with a request for erasure where the personal data is processed for the following reasons:

• The exercise of defence of legal claims
• To comply with a legal obligation (discussed above) for the performance of a public interest task or exercise of official authority.
• To exercise  the right of freedom of expression and information[3]
• Archiving purposes in the public interest, scientific research, historical research, or statistical purposes

Where information has been made available to third parties you must inform them of the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.

Time limit

Credit unions have one month to respond to the erasure request. This can be extended by two months if requests are particularly complex or numerous.

Where the credit union decides not to take action in response to a request for erasure, it must explain why to the individual and inform them of their right to complain to the ICO and to a judicial remedy.

ICO guidance on right to erasure

The right to restrict processing

When processing is restricted, you are permitted to store the personal data but not further process it. You should retain just enough information to ensure that the restriction is respected in future and inform any third parties about the restriction on the personal data unless it is disproportionate to do so.

This applies in the following circumstances:

• Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.
• Where an individual has objected to the processing (where it was necessary for the purpose of legitimate interests), and you are considering whether your legitimate grounds override those of the individual.
• When processing is unlawful and the individual opposes erasure and requests restriction instead.
• If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.

Credit unions have one month to respond to the restriction request. This can be extended by two months if requests are particularly complex or numerous.

Where the credit union decides not to take action in response to a request for the restriction, it must explain why to the individual and inform them of their right to complain to the ICO and to a judicial remedy.

ICO guidance on right to restrict processing

The right to data portability

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. This should be proved in a structured, commonly used and machine readable format e.g. CSV files. This enables other organisations to use the data and should be provided free of charge.

Guidance published by the article 29 Working Party on data portability states that this data is not limited to information provided directly by the individual (e.g. through an online form) but also extends to data generated by the activity of that individual.

This applies where:

• The individual supplied the data to the controller
• The processing is based on the individual’s consent or for the performance of a contract; and
• When processing is carried out by automated means

Time Limit

You must respond without undue delay, and within one month. This can be extended by two months where the request is complex or you receive a number of requests. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the ICO and to a judicial remedy without undue delay and at the latest within one month.

Right to data portability

The right to object

Individuals have the right to object to certain kinds of processing such as:

• Processing based on legitimate interests
• Direct marketing (including profiling); and
• Processes for the purposes of scientific/historical research and statistics
• Performance of a task in the public interest/exercise of official authority (including profiling)

Where these processing activities are carried out online, you must offer a way for individuals to object online.

Processing personal data for direct marketing purpose

You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse. This must be dealt with free of charge.

You must inform individuals of their right to object at the point of first communication and in your privacy notice. This must be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Processing based on legitimate interests

You must stop processing the personal data unless one of the following applies:

• You can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual;
• The establishment, exercise or defence of legal claims;
• The individual does not have an objection on grounds relating to his or her particular situation

You must inform individuals of their right to object at the point of first communication and in your privacy notice. This must be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Time limit

You must respond without undue delay and within one month. This can be extended by two months where the request is complex or you receive a number of requests. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where the credit union decides not to take action in response to a request for erasure, it must explain why to the individual and inform them of their right to complain to the ICO and to a judicial remedy.

ICO guidance on the right to object

Rights related to automated decision-making & profiling

Credit unions need to identify whether any of their processing operations constitute solely automated decision-making as individuals have the right not to be subject to a decision when:

• It is based on solely automated decision-making; and
• It produces a legal effect or similarly significant effect on the individual (such as the refusal of an online credit application or e-recruiting practices)

Except in the following circumstances:

• It is necessary for entering into or performance of a contract between you and the individual
• It is authorised by law and with suitable safeguards to protect to data subject’s rights, freedoms and legitimate interests.
• It is based on explicit consent (defined above)

However, you must ensure that members are able to:

• Obtain human intervention;
• Express their point of view; and
• Obtain an explanation of the decision and challenge it

Definition of profiling

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, e.g. to analyse or predict their:

• performance at work;
• economic situation;
• health;
• personal preferences;
• reliability;
• behaviour;
• location; or
• movements

When processing personal data for profiling purposes, you must ensure that appropriate safeguards are in place.

• Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
• Use appropriate mathematical or statistical procedures for the profiling.
• Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.
• Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.

Automated decisions taken for the purposes of profiling must not:

• concern a child
• be based on the processing of special categories of data unless you have the explicit consent of the individual

Time limits

You must respond to any requests regarding these rights without undue delay, and within one month. This can be extended by two months where the request is complex or you receive a number of requests. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

ICO guidance on rights related to automated decision making including profiling

Rights Table

The table below describes how certain rights apply to different bases of processing

Step 5: Know what to do in the event of a data breach

Both data controllers and data processors will be subject to a personal data breach notification regime.

Firms which credit unions have outsourced data processing will need to report all personal data breaches to credit unions without delay.

Credit unions will need to report personal data breaches to the Information Commissioners Office within 72 hours of becoming aware of the data breach if the breach is likely to result in a risk to the rights and freedoms of natural persons. Where the credit union does not report a data breach to the ICO it should document the decision internally.

To help credit unions understand when and when they do not need to report data breaches to the ICO, the ICO have provided a number of examples and a self assesesment form here.

Information required

The nature of the personal data breach including, where possible:

• The categories and approximate number of individuals concerned;
• The categories and approximate number of personal data records concerned;
• The name and contact details of the data protection officer (if you have one) or other contact point where more information can be obtained;
• A description of the likely consequences of the personal data breach; and
• A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

Credit unions will need to document the breach on an internal breach register which comprises of the facts relating to the personal data breach, its effects and the remedial actions taken.

Obligation to notify members

The ICO may require the credit union to communicate the data breach to all affected data subjects unless:

• The breach is unlikely to result in a risk for the rights and freedoms of the data subjects
• Appropriate technical and organisational protection were in place at the time of the incident (e.g. encrypted data)
• It would require disproportionate efforts to do so.

If the breach is sufficiently serious to warrant notifying members the credit union should do so without delay. The breach must present a ‘high risk’ to subjects’ data protection rights and freedoms (e.g. exposed to risk of fraud). N.B. This is a higher threshold than reporting the breach to the ICO. Data subjects can be notified individually.

Practically, credit unions will need to have need internal data breach detection, investigation and reporting procedures, which should include a decision-making mechanism about whether you need to notify the ICO or the membership in order to meet the tight 72 hour deadline.

Enforcement

The GDPR provides enhanced enforcement powers to supervisors of data protection such as the Information Commissioner’s Office (ICO) which has the power to issue fines for certain infringements. The maximum fine until 25 May 2018 is £500,000 which GDPR will increase to the higher of EUR20 million or 4% of global turnover. The ICO has expressed that it is unlikely to ‘scale up fines’ due to GDPR, and has not yet used its existing maximum fining powers.

The ICO has other tools for taking action such as:

• Serving information notices requiring you to provide the ICO with specified information within a certain time period
• Issue undertakings committing you to a particular course of action in order to improve compliance
• Serve enforcement notices where there has been a breach including steps to take or refrain from taking.
• Conducting compliance audits
• Prosecute those who commit criminal offences under the Act; and
• Report to Parliament on issues of concern

Conclusion

Whilst the ICO will not enforce GDPR until 25 May 2018 credit unions need to start planning for GDPR compliance as soon as practicable. This guidance will be updated with further information on other areas of GDPR as well as any modifications the UK government makes to the regulation in its proposed Data Protection Bill not already announced in its statement of intent. It will also be updated as more guidance emerges from the ICO and the Article 29 working Party.

If you have any questions or comments on this information guide please contact your Member Relationship Manager by emailing them direct, on info@abcul.org or by dialling 0161 832 3694.

Further Reading:

• General Data Protection Regulation
• Keeling Schedules on GDPR and the Data Protection Act (A DCMS document which highlights various changes following the UK leaving the European Union).
• Information Commissioner’s Office (ICO) Website
• ICO GDPR Guidance