Process flows and GDPR

Solutions Orientated Risk Management

Process flows and GDPR

Before we begin, let’s just outline what a process flow is and why it’s important from a GDPR perspective.
All activities in a credit union can generally be thought of as processes, this is a series of steps that we follow every time so that we get from the start of an activity to the end.
Think about a member coming in to get a loan in the credit union, we generally follow the same steps every time.

  1. The member fills out the application form and provides supporting documents e.g. bank statements, proof of income etc
  2. We take the form and the supporting documents then run a credit check
  3. We assess the application and see if they have the capacity to repay
  4. We make a decision on whether to approve the loan or not
  5. If we approve the loan – a credit agreement is drawn up and signed
  6. We disburse the money (EFT, Cheque, Cash)

As we can see there are steps that we follow every time, these are stages in the loan process and can easily be mapped.

So why is this important from a GDPR perspective? Firstly, it allows us to focus on each stage and see if data records are created or used and secondly, it allows us to determine the reason we hold the data and if it is within the scope of GPDR.

When we look at the process flow again we can see these data records and use this as the starting point for GDPR

Now we have identified actual data records that we are responsible for and assess these to see if they are within the scope of GDPR

  1. Loan Application Form – Name, Address etc – Personal Data – within scope of GDPR
  2. Supporting documentation (bank statements etc) – Name, Address, BIC, IBAN etc – Personal Data – within scope of GDPR
  3. Credit Check Report – Name, Address etc – Personal Data – within scope of GDPR
  4. Loan Assessment Form – Name, Address etc – Personal Data – within scope of GDPR
  5. Credit Agreement – Name, Address etc – Personal Data – within scope of GDPR
  6. EFT Transfer Form – Name, Address, BIC, IBAN etc – Personal Data – within scope of GDPR

So, using process flow diagrams we can identify data records and have a structured approach to part of our GDPR responsibilities.
SORM, working with partner credit unions, has created a large set of integrated process flow diagrams templated for use by other credit unions.

These templates cover CU areas such as

  • Account Management
  • Counter Processes
  • Credit Control
  • Human Resources
  • Information Technology
  • Lending
  • Marketing & Business Development
  • Membership
  • Risk, Compliance and Internal Audit
  • Shared Services

Each template identifies data records, is fully customisable for other CUs and stored in the SORM database so it can be linked to the CU’s Data Management Programme.

Call or email us to find out more