GDPR – Privacy Notices

Before reading this guide, you should already be familiar with ABCUL’s guide covering the key UK General Data Protection Regulation (GDPR) requirements, and ABCUL’s follow up guide to conducting a GDPR audit which will help you understand what information you obtain from members in greater detail.

Why do I need a privacy notice?

GDPR provides the right for each member to be informed about how their personal information is used and shared by the credit union. These rights will typically be fulfilled in the form of a privacy notice.

What do I need to include in a privacy notice?

The required information is to include in your privacy notice is:

• your full contact details;
• the types of personal data you collect;
• where you got people’s data from, if it wasn’t from them;
• why you have people’s information and what you’re doing with it;
• your lawful basis and your legitimate interests where relevant;
• who you share people’s information with; and
• how long you hold people’s information for before getting rid of it securely.

Further information on what to include can be found here.

ICO Guidance

Layered Privacy Notices: The ICO now recommends using layered formats—short summaries with links to more detailed information—to improve accessibility, especially in digital environments such as online onboarding or mobile apps.

Children’s Code Applicability: Credit unions offering juvenile accounts should note that the ICO’s Children’s Code applies even when accounts are managed by parents or guardians. The child remains the data subject, and privacy notices must reflect this with age-appropriate clarity and protections.

AI and Automated Decision-Making: If your credit union uses automated tools (e.g. for credit scoring or onboarding), the ICO’s updated guidance on fairness and transparency in AI processing should be considered. Members must be informed about how decisions are made and their rights under GDPR.

How should I write my privacy notice?

According to the GDPR a privacy notice should be concise and intelligible, using clear and plain language particularly where it is aimed at children.

ABCUL example privacy notice

An example privacy notice is available to ABCUL credit unions here and can be downloaded from the bottom of the page. ABCUL credit unions are free to adapt this example or use it to inform their own work towards compliance with members’ rights.

Before using this template credit unions need to conduct a data audit to understand all the ways that it processes or shares members’ data in order to ensure that the credit unions’ privacy notice is informed and covers all of their data processing activity.

Layering your privacy notice

Privacy notices can be layered in order to reduce information fatigue whilst still providing access to more detailed information as necessary. In the example document, it’s recommended that sections such as ‘rights explained’ can be pulled out and hosted on the credit unions website, or that further information about credit rating agencies be included on loan applications i.e. at the point this information becomes relevant for the individual.

Credit unions may take this a step further and include ‘just-in-time notices’ such as pop up boxes linked from data fields on an interactive online form which provides concise privacy information at the moment the individual provides their personal information. For more information on good practice see the ICO’s code of conduct on privacy notices here.

What is the Credit Reference Agency Information Notice (CRAIN)?

If the credit union uses a credit reference agency, it is required to refer to a standardised information notice about how credit rating agencies process consumer data. Credit unions can either include the full notice or include summary information that links to the full notice in a ‘layered approach’.

An example of the layered approach has been included in the ABCUL example privacy notice. We have also attached guidance on using the layered approach and the complete CRAIN in attached documents at the bottom of this guide.

When do I need to provide a privacy notice?

• At the time the data is obtained where it is collected from the data subject (member)
• Within 1 month where the data has not been collected from the data subject
• Before you process information for a new purpose
• In the event of a data breach or material change to the way you process or share data

This means that credit unions provide privacy information to the same member multiple times e.g. when:

• They join the credit union
• They apply for a loan (a specific loan privacy notice may be given here)
• The credit union  processes personal data in a new way (an explanation of the change and a updated privacy notice should be provided)

How can I provide privacy notices?

The Information Commissioner states that privacy notices can be provided through a variety of media such as:

Orally – face to face or when you speak to someone on the telephone (this would need to be documented)

In writing – including printed media; printed adverts; application forms etc.

Through Signage – for example an information poster in a public area

Electronically – in text messages; on websites; in emails; in mobile applications

What happens if I change my privacy notice?

Credit unions should review their privacy notice to ensure that it is accurate and up to date with the credit union’s processing and sharing activities. Minor changes to improve the usability of the privacy statement will not usually need to be actively communicated; however, where the privacy notice has been materially changed to reflect new processing or sharing activities credit unions will need to consider how to communicate these changes in an effective way to the existing membership.

Where the credit union relies on consent for a carrying out a new processing or sharing activity, it will need to obtain this for each and every individual member before they can process their data in this way.

Further Resources:

ABCUL

• Retaining and archiving records guidance
• GDPR Guidance: Key steps
  
• Conducting a data audit guidance

ICO

• ICO UK GDPR guidance and resources 
• ICO privacy notices code of practice
• ICO GDPR Guidance: right to be informed

EU

• Article 29 Working Party: draft guidance on transparency [pdf]
• General Data Protection Regulation

Further guidance is available in the ABCUL Member Resource Library here.

Last reviewed (31/07/25)