Ready or not - a new data protection regime is coming

The pensions industry has one year to prepare for new regulations coming its way. Europe's new data protection legal framework is set out in the General Data Protection Regulation (GDPR) which will come into force in all EU Member States on 25 May 2018, including the UK. While the changes are not radically different to the current legal requirements, there are important developments that the pensions industry needs to be aware of ahead of May 2018.

Download podcast

Subscribe via iTunes

Key points

1. A new EU data protection regime comes into force in May 2018

The General Data Protection Regulation (GDPR) will come into force in all EU Member States on 25 May 2018.

2. The GDPR will apply to the UK and is likely to apply after the UK leaves the EU

The UK will still be a Member State of the EU on 25 May 2018. The GDPR comes into effect for all Member States, and so will come into force in the UK. The UK will retain the GDPR following Brexit.

3. The GDPR is evolutionary rather than revolutionary

The GDPR does not mark a radical departure from the current data protection regime (i.e. in the UK under the Data Protection Act 1998 (DPA)). There are, however, certain key changes that will focus attention in the pensions industry.

4. There are four key developments that will affect the pensions industry the most

The GDPR contains four key developments that trustees, employers and the pensions industry will need to grapple with. These are

• more detailed privacy notices, whilst still being concise and easily understood;
• overlapping controller and processor obligations, especially around security;
• mandatory breach notification to regulators and members; and
• more severe sanctions for non-compliance.

What's happening on data protection?

Regardless of the progress of Brexit negotiations, it is very likely that the UK will still be a Member State of the EU on 25 May 2018. The GDPR will therefore apply to data controllers and processors in the UK on and from this date and the Great Repeal Bill will translate the GDPR into national law.

The Information Commissioner has also made it clear she expects that the UK will want to keep in step with European data protection standards after we leave the EU in order to facilitate cross-border transfers but also as many UK controllers and processors will process personal data of European citizens and are therefore caught by the GDPR in any event as it has extra-territorial effect.

Pension scheme trustees will, therefore, need to comply with the GDPR from 25 May 2018.

With just over one year to go until the GDPR goes into force, it is now time to map your data flows and start reviewing current policies, procedures, systems and practices and ensuring you understand your data protection obligations.

The new law is not as radical a departure from the old law as might have been feared. Broadly speaking, data processes that are lawful under the UK's Data Protection Act 1998 are likely to remain lawful under the GDPR. This should provide some comfort to trustees to the extent they are compliant with the current legal requirements. This is, however, subject to four important changes that are particularly relevant to pension schemes.

What are the key changes for pensions under the GDPR?

1. More detailed privacy notices

The requirements relating to privacy notices under GDPR are more detailed and specific than under the DPA and place more emphasis on making them understandable and accessible. Privacy notices will need to contain additional information, such as details of the legal basis for the processing of the personal data that is held.

Existing privacy notices will therefore need to be reviewed and updated accordingly.

2. Overlapping controller and processor obligations, especially around security

Under the GDPR, data processors (i.e. those who process personal data on behalf of a data controller, such as a scheme administrator) will, for the first time, be subject to direct legal obligations. This significant exposure to additional legal liability will make compliance a higher priority amongst actuaries, employee benefit consultants and other advisers.

In addition, the GDPR will require agreements between trustees and these parties to cover various data protection issues. Data controllers (such as trustees) are not relieved of their obligations under the GDPR even if they have delegated to a third-party data processor.

3. Mandatory breach notification to regulators and members

Under the GDPR, breaches of the data protection requirements must be reported to the national supervisory bodies (i.e. the Information Commissioner's Office in the UK) within 72 hours. If breaches are likely to result in a high risk to the rights and freedoms of data subjects (i.e. pension scheme members, employees etc.), the breach has to be communicated directly to the affected persons without undue delay.

4. More severe sanctions for non-compliance

The GDPR imposes significantly greater fines for non-compliance, up to the greater value of €20 million and 4% of global annual turnover for the majority of data processing that is relevant for the pensions industry.

The overriding theme and six key principles for processing personal data

Accountability

• Processed lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary
• Accurate and kept up to date
• Retained for no longer than is necessary
• Processed in manner to ensure appropriate security

Pension scheme checklist

Data map

Conduct an audit or create a data map of your scheme's data flows to show:

• what personal information you hold;
• where it comes from (e.g. does it come from the members, the sponsoring employer etc.);
• what systems it is stored in;
• what other systems is it sent to;
• the purpose for which you process it;
• what condition you rely on for processing;
• what third parties can access it;
• physically where is it stored; and
• for how long is it stored.

Gap/risk analysis

Using the data map, assess whether the treatment of data is GDPR compliant, for instance:

• where you rely on consent for processing, is that the only condition that can be used? If so, can you evidence consent and does it meet the GDPR standard?
• test whether you need all the data you collect. Consider data minimisation - at what stage could data be 'pseudonymised' (i.e. where identifying information such as a member's name is replaced by a pseudonymous identifier) or anonymised?
• are the systems technically capable of implementing data subject access rights e.g. portability and right to be forgotten?

Privacy notices

1. Determine a strategy for dealing with privacy notices. As part of this, you should:
   • consider whether, with employer, you are a joint data controller (i.e. jointly determining what data is obtained and the purpose for which it is processed) and whether there is benefit in a joint privacy notice for these joint activities;
   • decide if there will be different privacy notices where data is obtained from a third party (i.e. not the data subject);
   • decide how you will record or evidence that a notice has been given;
   • consider how you will update privacy notices (and record or evidence that the updated privacy notice has been provided);
   • consider how best to fulfil the requirement to deliver detailed information which is still concise and easy to understand.
2. Review and update privacy notices accordingly.

Working with third party data processors/data controllers.

1. Are your third party suppliers data processors or data controllers?
2. Review contracts with third party data processors (e.g. benefit consultants, administrators, actuaries) and update data processing clauses. Also, review liability clauses and indemnities to see if the risk allocation is still appropriate given that processors now also have statutory obligations and that, in areas like security, both the data controller and the data processor have the same obligation.
3. Processors also have to give 'sufficient guarantees' to demonstrate that they can meet the standards of GDPR. Ask processors for these. Work with internal teams to determine what evidence will be acceptable.

Governance and training

1. Will you appoint a voluntary data protection officer (DPO)? Or will you designate someone who is point of contact for data protection? Could a sub-committee be given responsibility for data protection issues?
2. Create and develop strategy to maintain records of data processing.
3. Consider whether you should develop a Data Protection Impact Assessment template ready for use when implementing new technologies or processing data that is likely to present a high risk to rights and freedoms of individuals.
4. Update internal policies and guidance.
5. Update training materials and ensure all staff who handle personal data receive updated GDPR training. Senior management should also receive training to demonstrate accountability.

Data breach incidents

Create or update policies relating to handling of data breaches and reporting to the Information Commissioner's Office (ICO) and, where necessary, affected data subjects. Require third party processors to feed into this.

Security

The standard of security required under GDPR has not changed but the GDPR provides more context around factors to consider to determine what is an appropriate level of security.

Consider (and ask scheme administrators) whether their systems:

• anonymise or 'pseudonymise' personal data;
• encrypt personal data;
• use cloud-based email, data storage or file transfer systems (and, if so, whether this data is backed up outside of the UK or the European Economic Area);
• have in place adequate information security systems to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems;
• have in place a process of regular testing, assessment and evaluation of its information security systems; and
• have in place a robust data back-up and disaster recovery and restoration policy.