PENSIONS INSIGHT
Pensions and the GDPR
Anna Copestake, senior associate at ARC Pensions Law, outlines how the GDPR will affect pension schemes
F rom 25 May 2018, the new General Data Protection Regulation (GDPR) will automatically apply to European Union (EU) member states. Its overarching aim is to strengthen and consolidate the EU data protection regime but its practical effect should not be underestimated. The GDPR will bring about fundamental and wide-ranging changes to data protection laws with significant implications for those involved in running pension schemes. With just over a year until its implementation, trustees, employers and administrators should start preparing now. Although the long-term application of the GDPR to the UK will depend on the implementation of Brexit, the current expectation is that the UK will find itself with data protection laws broadly similar to the GDPR. According to the recent White Paper, the Government will trigger the UK’s withdrawal by the end of March 2017, and the UK will leave within two years or, if earlier, when an exit agreement is signed. The UK may or may not remain in the EU on 25 May 2018. However, the Government intends to ‘preserve the rights and obligations that already exist in the UK under EU law’ by passing a Great Repeal Bill. Parliament will then decide which parts of that law to keep. A further White Paper will detail the approach of this Bill, but its effect will necessarily be shaped by the terms of Brexit. The deal struck might, for example, require the Government to adopt the GDPR into UK law as a concession for remaining in the single market. Alternatively the UK may voluntarily adopt laws similar to the GDPR in order to demonstrate ‘adequate’ levels of data protection for the purpose of EU data exporting requirements so as to bolster the continuation of international trade. So it is likely that GDPR will apply to UK businesses
(and pension schemes) to secure trade continuity for some time to come. ... businesses with a large EU presence may be caught by the GDPR irrespective of UK law In some circumstances (e.g. when providing services or goods to, or monitoring behaviours of, EU citizens) businesses with a large EU presence may be caught by the GDPR irrespective of UK law. So it is perhaps unsurprising that the message to date from the Information Commissioner’s Office (the ICO) is to “be prepared”. The GDPR maintains some familiar concepts (e.g. personal data, data controllers and data processers), albeit updated for today’s technological age. However, there are some major differences that will have a significant impact for pension schemes, including the following. ● Fines – Maximum fines for non- compliance will increase to the greater of €20,000,000 or 4% of global turnover (currently the ICO can issue a fine of up to only £500,000). ● Reporting breaches – Data controllers (e.g. trustees and, in some circumstances, employers) will have to report serious data breaches to the ICO without undue delay and, where feasible, within 72 hours unless unlikely to pose a risk to the data subject’s rights. If there is a high risk to the data subject then he or she would also need to be notified without undue delay. ● Processor liability – Data processors
(e.g. administrators, IT providers) will have new and direct obligations relating to data security and access requests. They will also have direct liability to members and may be fined by the ICO. Contracts between data controllers and data processors will need revisiting to check that the scope of services and service level standards remain appropriate. Data processors may try to reallocate this additional liability under the contract (e.g. by seeking indemnities). ● Information and consent – Privacy notices are likely to need amending to include extra information about how, why and for how long their data is processed. Member consent processes will also need checking as the GDPR introduces more onerous consent requirements. ● Individual rights – Individuals will have greater access to their data, the ability to transfer their data to another provider and limited rights to have it deleted. ● Accountability – There are new and comprehensive requirements to demonstrate compliance and data controllers must conduct privacy impact assessments where processing is ‘high risk’. Given the significant changes that the GDPR will bring and the fact that it is highly likely to apply at least for a period from May 2018 onwards, trustees and employers should start preparing now. Three recommended first steps are: ● Knowledge – become familiar with the GDPR and its key points. ● Audit – understand the current data processes and policies involved in the running of the pension scheme. ● Impact – start thinking about what processes and documents need revisiting in light of the GDPR. The ICO has also published a twelve-step introductory guide to help prepare for the GDPR (http://bit.ly/1VeFVTY). n
| Professional in Payroll, Pensions and Reward | March 2017 | Issue 28 34
Made with FlippingBook HTML5