In May the General Data Protection Regulation (GDPR) was adopted by the European Union, Michael Klimes examines how it will affect UK trustees
- EU states have two years to implement General Data Protection Regulation
- Brexit will not change march towards higher data standards
- Trustees and third party administrators must up their game on data
When a story appears about pensions, data is a minor theme much of the time. Readers prefer to learn about investments, fees and what scammers are up to.
Many seem to put data into a box, dump it in the attic and forget about it. But this approach is becoming harder to do. Increasingly, the box is going to be taken out of the attic and the contents inspected. Why?
The European Union's (EU) General Data Protection Regulation (GDPR) is the answer. This is meant to create one regulation to protect all data rights of EU citizens. It came into force on 24 May and is meant to apply from 25 May 2018.
Before Brexit, trustees and third-party administrators (TPAs) were finding out about the penalties they could face if they do not follow the rules.
The maximum fine for a company breaching GDPR is €20m (£17m) or up to 4% of total worldwide annual turnover of the preceding financial year. The lower-tier fine is €10m or up to 2% of the total worldwide annual turnover of the preceding financial year.
All firms must inform the relevant data authority about a data breach within 72 hours. GDPR is meant to supersede the Data Protection Act 1998.
As a result of Brexit, there is uncertainty about how these rules will apply to trustees and TPAs.
One fact is the Information Commissioner's Office (ICO) will police any regime that is adopted. Aside from this, there are a number of scenarios that could unfold.
During a Pensions Management Institute seminar on data standards on 5 July, Pinsent Masons partner Robin Ellison said there is no certainty trustees have to comply with these data regulations: "We don't know what the new risks are as we are living in uncertain times."
He continued: "The big change is you have to tell the regulator [ICO] if there has been a data breach. Regulators [across all aspects of financial services] are starting to get intoxicated with fines and costs of doing business are probably going to increase. There is a risk if you are a large company, they [ICO] might try to make an example of you."
Taylor Wessing senior data protection adviser Sally Annereau sees the possibility of there being a two-tier system trustees and TPAs are subject to. The dividing line is between those that process data only within the UK and those that do not.
"If you have a business which is purely operating in a UK market, then one option is you have a two-tier regime. You could have lighter data regulation [for UK-focused organisations] as the issues around the free flow of data between UK and EU is less relevant."
However, she points out trustees and TPAs dealing with EU clients, or have a more international profile, will have to consider GDPR.
"You have organisations on an international footing, they are trading with European partners and they have a footprint which is global. They have data flowing around all over the place. These types of considerations [complying with GDPR] are going to be very important for them in order for them to continue to receive data in the UK from Europe."
Furthermore, even if the UK does not adopt GDPR into domestic law, it would have to craft a British equivalent to receive data from the EU.
"The way we can demonstrate adequacy is either by implementing the GDPR into our national law or by having a law of an equivalent standard," Annereau continues.
Pinsent Masons senior associate Kristina Holt agrees about the limited wriggle room: "In practical terms, any potential variation from GDPR is likely to only be possible if the context is either entirely domestic (i.e. the trustee, administrators and members are in the UK) or UK/non-EU related (e.g. UK trustee, US administrator).
"Whether the UK government will pursue a variation from the GDPR requirements in this context remains to be seen. It will, to some extent, depend on the outcome of any Brexit negotiations as well as purely domestic considerations of policymakers."
Clearly, the negotiations around Brexit are likely to have some bearing on data standards in the UK. But officials at the ICO are already lobbying the government here.
The importance of higher data standards regardless of Brexit are explicitly mentioned by the ICO. In a statement to PP, it explains how critical data transfers across Britain's borders are.
"Over the coming weeks, we will be discussing with government the implications of the referendum result and its impact on data protection reform in the UK.
"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO's role has always involved working closely with regulators in other countries, and that will continue to be the case.
"Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary."
Squire Patton Boggs partner Wendy Hunter and her colleague senior associate Francesca Fellowes believe trustees and TPAs cannot be complacent.
Negotiating a transition from the pre-Brexit world to the post-Brexit one is fraught with complexity. What practical steps can trustees take to ensure they have covered all bases?
Fellowes says that the first step for trustees is a data mapping exercise to "assess what personal data they use and how, so that they can determine the compliance required under the GDPR".
Then trustees must scrutinise existing contracts. She continues: "Many do not contain the provisions that are mandatory under current law, meaning that, if the processor caused the breach, it would be the trustees that would be held responsible and, potentially, fined.
"Trustees can, at the same time, negotiate for the inclusion of the provisions that will be mandatory under the GDPR."
Similarly, new contracts with service or product providers also need to be looked at she says: "Trustees currently negotiating contracts with service or product providers that will or may continue beyond 25 May 2018 will need, by that date, to incorporate the new mandatory provisions required to be incorporated in agreements with processors."
For Hunter, it is imperative trustees understand the conditions of any contract and talk to their lawyers about GDPR.
"They should not enter into any contracts, especially those containing data protection provisions or those presented to them as 'standard', without first consulting their legal advisers."
With so much to do, it is clear data cannot be ignored by the industry anymore. The box, which has gathered dust in the attic, will have to be retrieved. The contents have to be dealt with sooner rather than later.
Equiniti managing director of data solutions Duncan Watson says there are people who acknowledge this: "Although a fairly painful thing, data custodians are supporters of data legislation as it helps them manage suppliers handling of data they are ultimately responsible for."
What do trustees need to do now?
Privacy notices and consent. Many trustees only provide limited privacy notices to their members. Trustees will need to review their privacy notices and revise them to include all the information that will be mandatory. As consent to processing can be withdrawn at any time, trustees may wish to minimise, as far as they legally can, the use of consent as a justification for the processing. Where consent is needed, they will need to ensure that it is separately set out in plain language so that there can be no doubt the relevant individual is giving fully informed consent.
Records of data processed. When the data mapping required under the GDPR is undertaken by trustees, or by administrators on their behalf, this will assist trustees in plugging any gaps in their data protection compliance.
Data breach response plan. Trustees should put in place a robust data breach response plan. The 72-hour notification requirement is short. Often, such breaches occur on a Friday evening or over the weekend, or as a business closes down for the holidays. Have a data breach response plan setting out the contact details (including out of hours contact information) of all the internal and external people who will need to be involved, along with details of what actions will need to be taken in the event of a data breach.
Source: Squire Patton Boggs
In the first of a five-part series of articles for PP, pensions minister Guy Opperman sets out how impending legislation will improve pensions for members.
Tim Shepherd and Beth Brown look at the legal implications of working from home and how pension professionals can mitigate the risks.
Defined benefit (DB) schemes that provide GMPs must revisit and, where necessary, top-up historic cash equivalent transfer values (CETVs) that have been calculated on an unequal basis, a landmark court judgment said last week.
The Pensions Regulator (TPR) has substantially increased the usage of its powers against trustees – posting a sharp rise in the use of formal information gathering powers and High Court production orders during the three months to the end of September....
The Pension Schemes Bill has completed its third reading, crossing its latest hurdle in the House of Commons.