At a glance
- The European General Data Protection Regulation comes into force on 25 May
It comes with many requirements for pension funds
A Data Protection Bill is set to put the regulation into UK law and will replace the Data Protection Act 1988
The General Data Protection Regulation will have a wide ranging impact on pension funds. Jay Doraisamy and Mark Prinsley say there is still time to take action ahead of 25 May
25 May is fast approaching. This is the date when the European General Data Protection Regulation (GDPR) comes into force across the EU. Replacing current data protection laws, it will introduce significant changes and new requirements with a wide-ranging impact on UK pension schemes. Tougher sanctions, a new data breach notification obligation, new data privacy governance, data mapping, and impact assessment requirements, and strengthening of individuals' rights in relation to personal data, are just some of the requirements.
On top of this, a Data Protection Bill, currently going through parliament, will transpose GDPR into UK law and repeal the Data Protection Act 1998. While the GDPR does not contain any pensions-specific exemptions, the bill does, although they will be of limited application.
Compliance might appear a daunting task for trustees who are only just turning their minds to GDPR, but it is not too late to get ready. Here are eight pointers:
- Make sure that the trustees and management (e.g. the pensions manager) know how GDPR will impact on the scheme. Put together a plan for how the scheme will implement GDPR's requirements and liaise with the sponsoring employer.
- Identify the personal data that the scheme collects, the purposes for which it is processed, how it is obtained, and the parties with whom it is shared. Create a written record of this data mapping exercise. Use this information to assess which data processing activities must comply with GDPR, and to identify and minimise the risks associated with those activities.
- Review the basis under which the scheme collects and processes personal data. Schemes may only collect and process personal data on the basis of one or more prescribed 'processing grounds' (this is currently a requirement and applies under GDPR too). Changes may need to be made for this to continue under GDPR, particularly where schemes are relying upon the 'consent' and 'legitimate interests' grounds.
- Update the scheme's data protection policy and procedures to reflect the changes that will be necessary to enable the scheme to comply with the new GDPR requirements. If the scheme doesn't have a data protection policy, put one in place. In particular, make sure that an updated data privacy notice is sent to members. This notice should provide a range of key information, including:
- the fact that the trustees are data controllers in relation to the members' personal data;
- the grounds on which the scheme collects and processes personal data, the types of personal data that the scheme may collect, and for how long personal data will be retained;
- the parties to whom the trustees may disclose members' personal data in the course of administering the scheme;
- members' rights in relation to their personal data; and
- details on other issues such as international transfers of data and how members can make a complaint regarding the handling of their personal data.
- Put processes in place to ensure that the trustees can respond to data breaches in accordance with the new obligation to notify the Information Commissioner within 72 hours.
- Understand how the new rights that members will have under GDPR, such as the right to be provided with access to their personal data and the right to have their personal data erased, impact on the scheme and how best to respond to an exercise of these rights.
- Review and update trustee contracts with advisers and service providers with whom the scheme shares personal data (in particular, the administrators) to ensure compliance. If there is no contract, put one in place. Make sure that use by the adviser or service provider of a sub-processor is authorised by the trustees.
- Make sure that any transfers by the trustees of personal data out of the EEA comply with the strict requirements under GDPR as to how such transfers can be done.
Trustees can seek support from their sponsoring employers who may well have resources upon which the trustees can draw. Trustee advisers will likewise often have means to support trustees through the process, for example offering template documentation that can be tailored to the scheme's requirements.
Jay Doraisamy is co-head of pensions and Mark Prinsley is head of IP & IT at Mayer Brown International