GDPR will be a sorely needed wakeup call for the industry

It's now almost impossible to ignore the new General Data Protection Regulation (GDPR), which come into force later this month. This is the biggest update of data protection laws in the UK since 1998, long before the exponential growth of the internet and rise of now household names like Facebook, Amazon and Google.

But will the regulations be a positive change or an unnecessary regulatory burden?

For all the complexity of GDPR, I believe the new regulations are positive for us all, whether we look through the lens of a business or a consumer. Though some of the enhanced rights for consumers may not be directly relevant for pensions, such as the right to be forgotten, GDPR still brings many positive changes to our industry. Transparency and accountability for data, two of the key themes of GDPR, can only be a good thing when thinking about pensions.

Whether action on GDPR compliance is being driven by fear of significant regulatory fines from the Information Commissioner's Office - of up to €20m (£17.5m) or 4% of global turnover - or something else, doesn't matter.

The changes are a wakeup call for UK plc - the pensions industry included - to improve the overall security and processing of personal data, flushing out weaknesses in how data is held and processed. Members put their trust in us as trustees and our responsibility extends beyond targeting good member outcomes and strong investment performance.

The timing of the new regulations is ideal given the rise in cyber risk. Having strong and robust security measures in place can only help reduce the risk of a pension scheme being targeted by cyber criminals.

GDPR offers a great opportunity to improve processing efficiency, for example by reducing manual touch points such as paper records and spreadsheets. Any steps towards straight through processing to mitigate GDPR risk can only help improve service level agreements (SLAs) and, more importantly, the member experience.

Data mapping is encouraged by article 30 of the GDPR - a valuable exercise in terms of understanding all the sources of data held and on which systems. It helps answer the questions such as 'was that legacy system de-commissioned after all?' It also acts as a reminder for those responsible for scheme governance about their personal obligations regarding data security. Should all those legacy meeting papers be stored in the garage at home?

In their haste to meet data minimisation requirements, pension professionals shouldn't ignore the need to maintain up-to-date and accurate data, especially as GDPR only bolsters The Pensions Regulator's drive towards improving common and conditional data scores. However, ticking the box on data minimisation will not feel great if data that would have been valuable for cleansing purposes is lost for ever. Proceed with caution!

My experience in updating privacy notices is that they are rarely read by members, until something causes them to become worried about the sharing of sensitive personal data. Should this happen, the privacy notice is a clear demonstration that their scheme takes this seriously. Alongside a data protection officer, or something equivalent, they can feel more reassured that their pension data is safe and instead concern themselves with what is really important for a scheme member: will they have enough to live on in their old age.

In reading this article, if I've encouraged you to ask further questions about your own pension scheme's readiness for GDPR, why not consider testing your subject access request process? The shortened timescale of 30 days is a new requirement of the regulations. If your scheme can respond thoroughly and within deadline, the chances are you are well on your way to being compliant.

David Brown is client director at PTL

• Tweet  
• Facebook  
• LinkedIn  
• Send to  

• Topics
• Admin / Technology
• GDPR
• PTL
• David Brown
• HR