General Data Protection Regulation – Conducting a Data Audit

Thursday 11 January 2024

Introduction

Members have a variety of data which will be collected, held, processed, accessed, shared, and ultimately destroyed by the credit union. Credit unions need to understand how and why they use this data and control the data through its entire lifecycle in order to comply with data protection regulation. This guide will take you through the process of performing a data audit with a view to complying with the General Data Protection Regulation (GDPR) which came into effect 25 May 2018.

This guide follows ABCUL’s earlier information guide on the key steps that credit unions should take to comply with the GDPR and compliments that guide with more practical guidance around how to ensure that you are processing personal data in a compliant way. To evaluate how your credit union is progressing with GDPR compliance the Information Commissioner’s Office (ICO) provides a quick self-assessment for data controllers such as credit unions here.

Proportionality

As with other regulatory regimes, data protection compliance requirements will scale with the size and complexity of a given organisation. Generally speaking, the ICO has taken a proportionate approach to data protection in terms of supervision and intervention. The ICO has also published a series of blogs which aim to address some of the more common misconceptions.

Aims of Data Protection Audit

The aim of a data protection audit is to systematically check for compliance with data protection regulations to ensure:

  • Data collected is obtained on a legitimate and lawful basis
  • Information is accurate, complete, up-to-date, relevant and not excessive
  • Data is stored securely, whilst use and access of systems containing personal data is controlled and limited
  • Data is processed appropriately and in line with data subjects’ expectations
  • Compliance with individual’s rights such as subject access rights and right to be informed
  • Data is shared securely and appropriately with third parties, and individuals are informed of the data sharing
  • Data is not retained for an excessive duration and controls are put in place for the deletion of the data

 

Data collection

Credit unions should start an internal audit by accounting for all of the ways data is obtained or received by the credit union such as:

  • Membership forms
  • Loan application forms
  • Notes taken when dealing with members, call recordings
  • Emails
  • Financial transactions made by the member
  • Other forms such as nominated beneficiary and life insurance forms

Credit unions will then need to categorise data into personal data, and (where applicable) sensitive personal data.

Personal Data

Personal data is defined under the GDPR as any information relating to an identified or identifiable natural person (data subject). Identifiable (as opposed to identified) natural persons are data subjects which cannot be directly identified but can instead be indirectly identified from one or more pieces of information relating to that person.[i]

Whether or not an individual can be identified from data depends on the context, for example, by itself the name John Smith may not always be personal data due to how many individuals have that name. However, where the name is combined with other information – such as an address, place of work, or telephone number – this will usually be sufficient to clearly identify one individual.

This means that any information that can be linked to a specific individual is personal data, and can include a wide variety of data items from basic contact details to IP addresses in the right context.

Examples of personal data
  • Name
  • Address
  • Date of Birth
  • Marital Status
  • Financial Transactions
  • Photographs / Video
  • IP Addresses
  • Mobile ID
  • Notes relating to a person
  • Recorded phone calls
  • National insurance number
Sensitive personal data

Sensitive personal data is data that has a higher potential to cause harm to a data subject and is defined under the GDPR as data revealing the following:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs,
  • Trade union membership
  • Data concerning health
  • Data concerning sex life and sexual orientation
  • Genetic; and
  • Biometric data (includes finger prints, eye and voice recognition)

GDPR places higher safeguards and restrictions on the processing of sensitive personal data. Credit unions obtaining sensitive data will want to consider whether the processing of sensitive data is necessary for their objectives. It is also important to note whether the data originated from the:

  • Data subject; or
  • Third Party (family member, credit reference agency, etc.)

Credit unions need to review the information that they collect and answer the following questions:

  • What personal data is collected?
  • What categories of personal data are collected?
  • What will the data be used for, is this lawful?
  • Is all of the data necessary? [ii]
  • Is any of the information sensitive personal data?
  • Is a privacy policy provided to individuals when the information is collected?

More information

  • An example data collection review is available to download on the right-hand side.

Data storage

A key component of the audit is going to be assessing how and where all of your data is stored. Data will be stored either on the credit union’s premises or remotely by a third party, it may be stored in a number of different formats e.g.

Digital
  1. Internal drives (saved locally to computers or to a server, magnetic tape)
  2. Portable drives (external, USB / thumb)
  3. Optical discs (CD, DVD, Blu-Ray floppy)
  4. Banking platform provider
  5. Information stored on website
  6. Data backup & recovery services
  7. Mobile devices (e.g. phones, tablets, laptops) provided to staff
Paper-based
  1. Paper records
  2. Staff notes
  3. Paper membership forms
  4. Paper loan applications
  5. Photocopies of member documentation
  6. Archived and historical documents

Credit unions will need to ascertain all the ways that they store data and consider the following:

Issue List of considerations
Physical security
  • Are the premises physically secure?
  • What is the risk of a break-in?
  • What is the risk of unauthorised access during business hours?
  • Are the premises of any off-site storage secure?
Digital Security
  • Do computers have the latest security updates?
  • Are you protected against viruses and malicious software?
  • Are your systems secure against cyber attacks
  • Is data encrypted? Particularly where sensitive or where loss is more likely e.g. laptops / USB drives?
Staff / human
  • Are controls in place to restrict and log staff access to personal data?
  • Are staff trained on information security?
  • Are members allowed access to computers with personal data?
Data Backups 
  • Is your data backed up?
  • Is there a backup in a remote location i.e. not in the same physical location as the live copy?
  • Is the backup encrypted?
  • Is there a third-party involved? Are they trusted and secure?
Sensitive data
  • Do you store any sensitive data?
  • Are higher safeguards used for sensitive data?
  • Can sensitive data be anonymised or pseudonymised?

 

More information

Data processing

Credit unions process data for a variety of different purposes which prescribes what data is collected, how it is shared, and how long it is retained for. The processing should be for specific, explicit and specified purposes. Typical processing activities include:

  • Membership applications
  • Loan processing
  • Identification for AML compliance
  • Processing transactions (deposits, transfers, dividend)
  • Dealing with a complaint
  • Direct marketing
  • Communications with members
  • Administering ELDS
  • Equal opportunities and social impact assessments

Credit unions need to ensure that they process data in line with the reasons given to the member when the member provided the information. However, it is possible to process for new purposes as set out below.

Processing for new purposes

Credit unions can process information for a new purpose providing that they consider whether the new purpose is compatible with the original purpose taking into account the following factors:

  • Any link between the original purpose and the new purpose
  • The context in which the data has been collected
  • The nature of the personal data and whether sensitive personal data is affected
  • The possible consequences of the new purpose of processing for the data subjects
  • The existence of appropriate safeguards (e.g. encryption or pseudonymisation)

List of data processing considerations

  • Is the credit union aware of all the processing activities it carries out?
  • Has the credit union considered the lawful basis for each processing activity?
  • Is the data collected for the processing necessary?
  • Are applicable members’ rights in place for the processing taking place?
  • Is the credit union registered with the ICO for its data processing?

Data sharing

Credit unions will share some data with third parties and will need to ensure that all third parties can be trusted and that the sharing mechanism is secure.

Examples of third-party credit unions may share personal data with
  • Credit reference agencies
  • Identification / Verification company & Know Your Customer Services
  • PEPs and Sanctions service providers
  • Website providers
  • Data back-up providers
  • Financial Services Compensation Scheme
  • National Crime Agency
  • Mailing solution providers
  • HM Revenue and Customs
  • Banking platform provider
  • Customer Relationship Management system

This list is not exhaustive. The key is that you are sharing members’ data with a trusted party and in a way that the member would reasonably expect.

List of considerations

  • Which third parties receive data from the credit union?
  • What data is shared with each third party?
  • Are the third parties compliant, and are appropriate safeguards in place (contracts, etc.)?
  • Have the members been informed of and agreed to the data-sharing activity?
  • Is the data sharing necessary?
  • Is the data shared to a third country i.e. a non-European Economic Area (EEA) country?

More information

Data Maintenance

One of the principles of GDPR is that personal information should be accurate and kept up-to-date where necessary. Credit unions should continually update the information on their members as they are informed of changes to their personal data and consider providing further prompting and mechanisms for members self-maintain their personal information.

Where credit unions discover new information about a member, this may need to be passed on to third parties as appropriate. One area where members may be negatively impacted by out of date information is where the credit union fails to update data on a members’ credit reference file e.g. failing to update where a member pays off an overdue debt.

Maintaining Consent

Credit unions may rely on consent for certain processing activities and often will for marketing-related activities. Under GDPR, consent needs to be more actively reviewed and managed. In addition to allowing members to withdraw consent at any given time, GDPR also stipulates that consent can be invalidated without this withdrawal. For example, if your purposes or activities evolve significantly beyond what the member originally consented to then you will need to obtain fresh consent in order to continue marketing to those people. Consent can also degrade or be valid for a fixed duration depending on the circumstances.

For example, a credit union may run a promotion that gives members the opportunity to receive emails with tips on how to manage their money before Christmas. As the consent refers to a particular timescale and end point, the expectation will be that these emails cease after Christmas, and therefore the consent expires.

List of considerations
  • What member data is likely to become out of date?
  • What is the impact of inaccurate / out of date information on the member and/or credit union?
  • How can the credit union ensure that the data remains accurate and relevant?
  • Does the credit union need to pass on new information on a members account with third parties?
  • Does the credit union need to refresh consent?

More information

Data Destruction

After a certain amount of time after members leave, or where information relating to a member is no longer needed, credit unions will need to erase personal information in line with a retention policy. ABCUL has guidance on retaining and archiving records here. As well as compliance with data protection regulations the ICO suggests that there are other advantages i.e.

  • Reduces the risk that out of date information will be used in error to the detriment of all concerned
  • As time passes it becomes more difficult to ensure data is accurate
  • Even though you may no longer need the personal data, you must still make sure it is held securely
  • You would also need to respond to subject access requests of data you hold which is more difficult if you are holding more data than you need

Where a credit union decides to delete data it should delete all instances of that data and erase any backups that have been made. Where the data has been provided to third parties, credit unions should ensure that these are also adhering to a retention schedule.

List of considerations
  • Has the credit union set a retention policy for the data it processes?
  • What is the process for deleting old data?
  • Are there multiple copies of the data which need to be deleted?
  • Do third-parties also conform to a retention schedule?
  • Is the data in any way recoverable?

More information:

Further Resources
ABCUL – January 2018

Reviewed: September 2024

[i] The definition of personal data according to Article 4 of the GDPR: (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

[ii] ICO, Guide to the General Data Protection Regulation, “This does not mean that processing always has to be essential. However, it must be a targeted and proportionate way of achieving the purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means.

It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is a necessary for the stated purpose, not whether it is a necessary part of your chosen method of pursuing that purpose.”

A data collection and GDPR compliance map is available in the ABCUL Member Resource Library here.