20 April 2017
The pensions industry has one year to prepare for new regulations coming its way. Europe's new data protection legal framework is set out in the General Data Protection Regulation (GDPR) which will come into force in all EU Member States on 25 May 2018, including the UK. While the changes are not radically different to the current legal requirements, there are important developments that the pensions industry needs to be aware of ahead of May 2018.
A new EU data protection regime comes into force in May 2018
The General Data Protection Regulation (GDPR) will come into force in all EU Member States on 25 May 2018.
The GDPR will apply to the UK and is likely to apply after the UK leaves the EU
The UK will still be a Member State of the EU on 25 May 2018. The GDPR comes into effect for all Member States, and so will come into force in the UK. The UK will retain the GDPR following Brexit.
The GDPR is evolutionary rather than revolutionary
The GDPR does not mark a radical departure from the current data protection regime (i.e. in the UK under the Data Protection Act 1998 (DPA)). There are, however, certain key changes that will focus attention in the pensions industry.
There are four key developments that will affect the pensions industry the most
The GDPR contains four key developments that trustees, employers and the pensions industry will need to grapple with. These are
- more detailed privacy notices, whilst still being concise and easily understood;
- overlapping controller and processor obligations, especially around security;
- mandatory breach notification to regulators and members; and
- more severe sanctions for non-compliance.
What's happening on data protection?
Regardless of the progress of Brexit negotiations, it is very likely that the UK will still be a Member State of the EU on 25 May 2018. The GDPR will therefore apply to data controllers and processors in the UK on and from this date and the Great Repeal Bill will translate the GDPR into national law.
The Information Commissioner has also made it clear she expects that the UK will want to keep in step with European data protection standards after we leave the EU in order to facilitate cross-border transfers but also as many UK controllers and processors will process personal data of European citizens and are therefore caught by the GDPR in any event as it has extra-territorial effect.
Pension scheme trustees will, therefore, need to comply with the GDPR from 25 May 2018.
With just over one year to go until the GDPR goes into force, it is now time to map your data flows and start reviewing current policies, procedures, systems and practices and ensuring you understand your data protection obligations.
The new law is not as radical a departure from the old law as might have been feared. Broadly speaking, data processes that are lawful under the UK's Data Protection Act 1998 are likely to remain lawful under the GDPR. This should provide some comfort to trustees to the extent they are compliant with the current legal requirements. This is, however, subject to four important changes that are particularly relevant to pension schemes.
What are the key changes for pensions under the GDPR?
1. More detailed privacy notices
The requirements relating to privacy notices under GDPR are more detailed and specific than under the DPA and place more emphasis on making them understandable and accessible. Privacy notices will need to contain additional information, such as details of the legal basis for the processing of the personal data that is held.
Existing privacy notices will therefore need to be reviewed and updated accordingly.
2. Overlapping controller and processor obligations, especially around security
Under the GDPR, data processors (i.e. those who process personal data on behalf of a data controller, such as a scheme administrator) will, for the first time, be subject to direct legal obligations. This significant exposure to additional legal liability will make compliance a higher priority amongst actuaries, employee benefit consultants and other advisers.
In addition, the GDPR will require agreements between trustees and these parties to cover various data protection issues. Data controllers (such as trustees) are not relieved of their obligations under the GDPR even if they have delegated to a third-party data processor.
3. Mandatory breach notification to regulators and members
Under the GDPR, breaches of the data protection requirements must be reported to the national supervisory bodies (i.e. the Information Commissioner's Office in the UK) within 72 hours. If breaches are likely to result in a high risk to the rights and freedoms of data subjects (i.e. pension scheme members, employees etc.), the breach has to be communicated directly to the affected persons without undue delay.
4. More severe sanctions for non-compliance
The GDPR imposes significantly greater fines for non-compliance, up to the greater value of €20 million and 4% of global annual turnover for the majority of data processing that is relevant for the pensions industry.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.