Jason Coates
Partner
Article
13
Under the General Data Protection Regulation (GDPR), data processors will, for the first time, have direct legal duties under data protection legislation. Many pension scheme trustees use third parties for professional advice and to help run their schemes. What will trustees have to do to ensure compliance by these third parties?
{^widget|(videoid)7_sky_HiKag|(name)GWLG.Video|(image_guid)0e502820-04ca-4904-bb36-27eed2f52336|(widget_displayname)Video|(width)|(height)^}
Download this article as a PDF.
Third parties usually play an important role in the running of a pension scheme. Service providers and professional advisers need to use the scheme's personal data in order to help trustees run their scheme.
The GDPR requires specific terms to be in place between data controllers and data processors. These include general statements and stipulations that data processors must be able to give.
Under the GDPR, data controllers can only use third party data processors that provide sufficient guarantees that they will comply with the GDPR. Trustees will need to carry out due diligence on their third party service providers and professional advisers to determine whether they provide sufficient guarantees.
Contractual terms are not enough - third parties will need to provide evidence of how they comply. This might come in the form of a standard form statement explaining the data and security measures that the third party has put in place. Trustees should keep records of this evidence to demonstrate their own due diligence.
Many trustees rely on third party service providers to administer their pension schemes. For such schemes, the bulk of data processing is carried out by third parties. In addition, trustees have to appoint professional advisers such as actuaries and lawyers. These advisers usually have to use the scheme's personal data in order to provide advice.
Pension scheme trustees need to think about any third parties that process the scheme's personal data on behalf of the trustees. For most pension schemes, this will include:
There are two main legal duties that apply in respect of third parties:
Pension scheme trustees are data controllers for the purposes of the scheme's personal data. Under the GDPR, data controllers have to ensure that there is a legally binding contract in place between them and any third parties that process the scheme's personal data on behalf of the trustees. The GDPR specifies a range of terms that need to be included in a contract between data controllers and third party data processors.
Under the GDPR, data controllers should only use third party data processors that provide sufficient guarantees that they will implement appropriate technical and organisational measures in order to comply with the GDPR and protect personal data. Data controllers will, therefore, need to satisfy themselves that existing third parties provide sufficient guarantees. In addition, when appointing a new third party, data controllers will need to carry out due diligence to ensure that the third party will provide sufficient guarantees.
The GDPR requires certain terms to be in legally binding contracts between:
There are three types of terms that may need to be included. If the third party is only a data processor, only the first two sets of terms need to be included. If the third party is a joint controller, all three sets of terms need to be included.
In order to be compliant with the GDPR, the contract between a data controller and the data processor should include statements that cover:
In order to be compliant with the GDPR, the contract between a data controller and the data processor should also contain stipulations that the data processor will:
In order to be compliant with the GDPR, the contract between a data controller and another data controller in a joint controller relationship should set out:
In addition, the joint controllers need to make the essence of the agreement available to data subjects. This will usually be done via the privacy notice.
As data controllers, pension scheme trustees should only appoint third party data processors that can provide sufficient guarantees to implement appropriate technical and organisational measures in order to:
On its own, no. This is especially the case if the data processors day to day practice does not meet the standards that they have set out in their contract.
It can, however, be part of the evidence that the Trustees will need to satisfy themselves that the third party has provided sufficient guarantees.
How can Trustees make a judgment of whether a third party provides sufficient guarantees? Will they need to appoint a consultancy to provide expert advice on data protection and data and cyber security?
This will depend on the situation. It might be appropriate where the Trustees have particular concerns about the data processor. It might also be a good idea if there is a particularly high volume of sensitive personal data.
Trustees that use recognised names in the pensions industry may not need to go this far.
It would make the Trustees life a lot simpler if there was a single standard or code of practice that was independently verified and demonstrated compliance.
There are a raft of British and International standards covering relevant areas of document management and data and cyber security.
Up to this point, however, a single standard or code of practice has not yet emerged.
Trustees are likely to have to weigh up a range of factors. This will include the information that has been provided by the third party - most pensions industry data processors are setting out revised terms and conditions and issuing statements on how they, as an organisation, deal with data protection.
Evidence that a third party provides sufficient guarantees could come from a variety of sources, including:
Trustees should consider all of their third party service providers and professional advisers and any other third parties (e.g. the scheme's employer(s)). It might be useful to create a diagram / map rather than a list.
Third parties are only relevant for data protection purposes if they process the scheme's personal data. Processing covers a wide range of activities, but there are exceptions (e.g. Royal Mail is not processing data if they only hold a document or a USB memory key in order to deliver it). If the third party only receives anonymous data or scheme level data that does not identify a living, natural person, they will not be dealing with personal data and can be discounted from this process.
Third parties are putting in place variations to their standard terms and conditions to deal with the requirements for specific terms under the GDPR. Have all of your third parties provided such variations? Have you had them reviewed by the scheme's lawyers?
Trustees should ask third parties to provide evidence of how they will comply with their duties under the GDPR. This may come in the form of responses to a questionnaire, a standard form response covering data protection and data and cyber security, a page or section of a website or a combination of these. It is important for the trustees to keep a record of this evidence so that they will be able to demonstrate the due diligence they carried out on their third party service providers and professional advisers.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.