Data protection rules already apply to the trustees of pension schemes as a result of the Data Protection Acts 1988 and 2003. The existing data protection legal framework will be significantly strengthened from 25 May 2018 when the EU General Data Protection Regulation (GDPR) comes into force. If trustees have not already started to consider whether their scheme arrangements will be compliant with GDPR requirements, now is the time to do so.
Trustees will usually be “data controllers” who are legally responsible for “personal data” which is, broadly, information relating to identifiable persons (i.e. the members and other beneficiaries of the scheme – called “data subjects” in the legislation).
Persons appointed by the trustees to assist with the administration of the scheme will be data processors if they are given any personal data. Obvious data processors would be the scheme administrators, but legal advisers, the scheme sponsor, the actuary, medical advisers and insurance companies may also be data processors.
The collection, holding, transfer and use of personal data is “processing”. Personal data must be processed according to a number of principles designed to limit the amount and use of personal data, to maintain its accuracy and protect against unauthorised use or disclosure. Members and beneficiaries have various rights in relation to the use of personal data relating to them.
- GDPR retains the same core principles as currently apply but introduces some significant changes. Among these are:
- Privacy notices, the notices trustees give members and beneficiaries telling them what personal data is held and how it will be used, will need to contain an expanded list of information
- Record keeping requirements are to be strengthened and trustees must be able to demonstrate to the regulator how they are complying with the requirements of GDPR
- Contractual arrangements with data processors will need to include a number of mandatory provisions in writing
- The notification obligations on trustees where there is a personal data breach (by the trustees or any of their data processors) are being strengthened and, for the first time, will include an obligation to notify the regulator within a tight time frame of the breach
- Where personal data is processed on the basis that the member or beneficiary has consented to the processing, the member or beneficiary will have the right to withdraw that consent – finding other grounds for processing personal data may become more important
- The amount of time for providing members and beneficiaries with access to their personal data is being reduced
- Before carrying out processing which involves a high risk for members or beneficiaries, trustees will have to carry out an assessment (a “privacy impact assessment”) of the risks to members or beneficiaries in carrying out that processing, and the adequacy of proposed measures to deal with those risks.
Steps to GDPR compliance
So what areas should trustees now be focussing on?
- Understand what personal data the trustees and their data processors hold, where it comes from, where it goes and the legal basis for processing the data
- Review and update privacy notices
- Review contractual arrangements with anyone who processes scheme personal data
- Prepare a plan to minimise the risk of personal data breaches and to deal with breaches should they occur
- Review arrangements for responding to a member or beneficiary request for access to, or alteration or deletion of their personal data.
We are available to help trustees, as well as processors of pension scheme personal data, to comply with GDPR. If you are interested in finding out more please let any of the team know. We will be holding a presentation in January for our pension clients giving more detail on the steps to take to become GDPR compliant.