The EU adopted a new General Data Protection Regulation (GDPR) on 24 May 2016 which provides for a more consistent data protection regime across the EU. The GDPR will replace the Data Protection Act 1998 (DPA) in the UK with effect from 25 May 2018 and will have a considerable impact on trustees of pension schemes. This blog looks at the key changes that trustees should be considering in readiness.
Why will this affect trustees?
Trustees (and their service providers) are data controllers (and data processors) under the DPA. The trustees (or service providers on behalf of the trustees) hold and process a substantial amount of information about members, pensioners, and beneficiaries. The GDPR extends the current obligations on data controllers and data processors. Further, the penalties for non-compliance will increase significantly. The most serious breaches carry a penalty of up to €20 million or 4% of global turnover (currently the maximum fine is £500,000). If more than one data controller or data processor is accountable for the breach, the Information Commissioner’s Office (ICO) has the option to pursue either or both organisations.
What are the key changes affecting trustees?
1. Data processors
Under the GDPR, data processors will have direct accountability for data protection breaches and can be fined in the same way that a data controller would. Whilst this could be seen as a positive change for trustees, service providers may seek further contractual protection from trustees.
Trustees will need to review their contracts with service providers to ensure that they have the appropriate levels of protection in their agreements.
2. Right of individuals
The GDPR also creates new rights for individuals including the ‘right to be forgotten’ (the right to have data erased), the right to object to data processing on various grounds, and a new right to transfer personal data to other organisations. The subject access fee will also be removed.
Trustees should ensure that they have processes in place to enable members to exercise their rights under the GDPR.
3. Privacy notices and consent
The GDPR emphasises the importance of ensuring that individuals are given clear information in plain English on what their data is used for by way of fair processing notices and privacy notices. Under the GDPR, consent must be unambiguous and be communicated by a statement (written or verbal) or “clear affirmative act”. The GDPR makes clear that inactivity, silence, pre-ticked boxes or inactivity does not constitute consent.
Trustees should examine existing privacy notices as well as data protection provisions to ensure that they are compliant with the GDPR and that they have the appropriate consent from their members.
The GDPR requires data controllers and data processors to keep full records of exactly what personal data is processed, what the data is used for, how and by whom the data is used, with whom it is shared, as well as the security measures applied to it and the length of time it is to be stored.
Privacy impact assessments will become obligatory should trustees ever undertake high risk processing and when using new technologies.
The GDPR places greater weight on data controllers ensuring that data protection principles will be complied with by designing systems and processes that reduce the data collected, and ensuring that data protection compliance is built into the system/process.
Trustees should review and assess the personal data they collect and how they process that data, and ensure that the way that data is processed has a legal basis under the GDPR. Where necessary a primary impact assessment should be undertaken.
5. Data breach reporting
It will become compulsory for trustees and service providers to inform the Information Commissioner about data breaches that cause a risk to the rights and freedoms of an individual whose data is compromised (e.g. risk of identity theft). This must be reported within 72 hours of discovering the breach and in high risk cases may require the trustees to notify the individual/s concerned.
Trustees will need to have a strong data breach response plan in place so that they are able to respond within the necessary timeframes to any data breaches.
Brexit impact ?
The ICO has published a statement following the referendum result. The statement confirms that over the coming weeks, the ICO “will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK”.
The GDPR will be directly applicable to all member states (that is member states are bound to recognise and enforce the GDPR without the need for any national legislation to implement it). At this stage it is not clear how the UK will renegotiate its relationship with the EU. What is certain is that since the GDPR comes directly into force across the EU from 25 May 2018, we have to assume that it will apply to the UK in the interim period before it formally exits the EU.
This post was contributed by Patricia Bailey. For more information, email firstname.lastname@example.org.
 Recital 65 of Regulation (EU) 2016/679 of The European Parliament and of The Council
 Recital 32 of Regulation (EU) 2016/679 of The European Parliament and of The Council