The European Union’s General Data Protection Regulation (GDPR) will take effect in the UK on 25th May 2018. The GDPR will replace the current UK data protection law found in the Data Protection Act 1998 (DPA). The GDPR broadly applies to all data included in the DPA; however, the GDPR’s definition of “personal data” is more detailed, having been modernised to include data such as IP addresses. It also includes some minor changes to data that is classified as sensitive personal data.
Other changes include a new accountability requirement, meaning organisations must be able to demonstrate how they comply with the principles of the GDPR. Data “processors” (who act on behalf of data “controllers”) are subject to obligations under the GDPR, which is new. Nevertheless, it is pension scheme trustees, as data “controllers”, who are responsible for ensuring compliance with the GDPR (data “controllers” are in charge of how and why personal data is processed).
What does the GDPR mean for pension scheme trustees?
- Trustees must be able to demonstrate compliance with the GDPR;
- Increased transparency and information requirements – an aim of the GDPR is to clarify the purposes for which data is collected and with whom it will be shared;
- New rights of members – changes to members’ rights of access mean that a copy of information requested must now be provided within one month (a change from 40 days under the DPA) and free of charge. The GDPR also introduces an extended “right to be forgotten”;
- Enhanced consent requirements provide that members can withdraw consent to their data being held and consent will need to be obtained separately for some matters, in particular where it relates to sensitive information, such as a member’s health;
- Changes to notification of breaches – the Information Commissioner’s Office (ICO) (the UK’s independent body for regulating information rights and individuals’ data privacy) must be notified within 72 hours of trustees becoming aware of a breach, unless certain exceptions apply. Failure to comply with this requirement can result in punitive fines; and
- Increased fines of up to €20,000,000 or 4% of worldwide profits for non-compliance, compared with £500,000 under the DPA.
What actions should pension scheme trustees be taking now?
In addition to ensuring they receive training on their obligations under the GDPR, some of the steps that trustees should be taking now include:
- Implement/update a data protection policy – Trustees should review how consent is obtained and if their processes remain valid under the GDPR, and also review the procedure for notifying data processors if a member’s consent is withdrawn. The policy should state that members will be provided with data within 31 days of requesting access and that the ICO will be notified appropriately;
- Review personal data currently held, the legal basis for holding it and whether it is still needed;
- Review contracts with third parties to ensure they are GDPR compliant and speak to them more generally about the third parties’ own preparations for GDPR compliance; and
- Ensure member communications are reviewed to reflect the GDPR requirements.
Taking these actions now will ensure trustees are better placed come next May to comply with the new requirements and avoid the significantly increased fines.
For further information, please contact:
Michael Collins, partner, Pensions
T: 0121 234 0236