May 2018 will see the introduction of the EU’s General Data Protection Regulation (the “GDPR”) bringing wide-ranging changes to existing UK data protection legislation. The data held in respect of pension schemes by trustees, employers, administrators and providers will need to be treated in line with the new regime. Beginning steps towards compliance with the new regulations is key and 2017 will be the critical time for preparation. Although Brexit might result in the UK ceasing to be a member of the EU, the UK will be subject to GDPR from May 2018 until Brexit and the Government has confirmed that the UK will implement the GDPR. Therefore, avoiding taking the preparatory steps to comply would be risky, in particular given the scope of the GDPR and the drive for security and accessibility of data. Key areas of change under the GDPR include:
- Significant increases in the level of fines that can be imposed on data controllers and data processors from the previous £500,000 limit. For severe breaches, the potential fines have increased to €20m or up to 4% of the entities’ worldwide annual turnover in the preceding financial year, whichever is higher. If pension trustees do not have an annual turnover then the applicable maximum will be €20m.
- For lower end breaches, such as a failure to retain a record of processing, the maximum fine is €10m or up to 2% of worldwide annual turnover.
- In order for the processing of personal data to be lawful it must be done on the basis of a relevant condition. These conditions include that, amongst others, the data subject has consented to the processing, the processing is necessary for the performance of a contract with the data subject, or the processing is necessary for the purposes of a legitimate interest.
- Any party in the pensions arena relying on the legitimate interest condition needs to ensure that the data subjects are informed that their personal data is being processed on this basis and be given details of that legitimate interest. Communications will be key in highlighting this to members of schemes. Additional scrutiny, e.g. of pension trustees’ privacy notices, will be vital.
- In addition, data subjects have the right to object to the processing of their personal data. If the data subject so objects, the processing of that personal data must stop unless compelling legitimate grounds for the processing can be demonstrated.
- A renewed emphasis on data subjects being given information in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”, and a mandated list of information that a privacy notice should contain. This means a full review and likely re-issue of privacy notices is a priority. Reasons for the processing of personal data and the legal basis for this will need to be flagged.
- Where member consents are used as a relevant condition for processing, the GDPR provides that these consents can be withdrawn at any time. As a result there may be moves away from using consent as a justification for processing and a focus on alternative grounds, for example, as part of a contract or on the basis of clearly articulated legitimate interest. Where consents are used they must be unambiguous, so any request for consent should be written in plain English and in a transparent manner. An accurate record of consents will also be necessary.
Data processing agreements
- Agreements with data processors will need to include new mandatory terms. On the critical path to compliance will be a review of existing agreements with data processors to meet all GDPR requirements. 2017 will be the year of fundamental review of these agreements and the industry needs to be ready!
- New contracts affecting pensions would be best written under the GDPR in 2017 to avoid rewriting fresh contracts.
Register of processing
- Under GDPR, data controllers and data processors are required to maintain a record of their processing activities. This record must contain specific categories of information, including the purposes of processing and whether it could result in data being transferred outside the EEA. Data mapping and operational policies will be vital in the implementation and maintenance of such registers and you should start the process as soon as possible and complete it in the first half of calendar year 2017.
Notification of breaches
- A data protection breach must be notified to the ICO within 72 hours of becoming aware of the breach if there is a risk to the data subject – here any pension scheme member or beneficiary. This is a very short window. A robust data breach response plan must therefore be in place to ensure the pension trustee would be in a position to identify, review and report notifiable breaches within this timescale. In particular, pension trustees will need to consider how it will interpret “awareness” of a breach as it is likely there may be an initial period where the pension trustee may suspect a breach has occurred but has not yet confirmed this.
- Contractual obligations are likely to be imposed on data processors to report suspicions of a breach to the trustees or employers.
Data subject rights
- Extensions will be brought in to the rights of data subjects, including the existing rights of erasure and rectification and the introduction of new rights, such as the right of data portability, restriction and the right to a legitimate interest objection. Assessing the impact on pension scheme operation and incorporating these rights will be key.
Transferring personal data outside the EEA
- Personal data should only be transferred outside the EEA if adequate safeguards are in place e.g. explicit consent, an adequacy decision, standard contractual clauses or under Privacy Shield (which relates to transfers of data between the EU and the US). Recent challenges to the Privacy Shield and the model clauses mean this aspect remains fluid and should be kept under review.
- Given the increased use of cloud computing, the ability of entities to lawfully transfer personal data outside the EEA is becoming ever more important as the servers on which the information is held are often physically located outside the EEA. Pension scheme procedures need to be assessed for the transfer of personal data outside the EEA.
Privacy by design and default
- There is a running theme throughout the GDPR that privacy of personal data should be considered at the very early stages of projects and not simply be an afterthought. Examples of this theme include the extensive provisions surrounding privacy impact assessments. Operation of pension schemes and projects which address pension issues will need to review their privacy approach.
Data protection officer
- GDPR requires that a data protection officer must be appointed where the core activities of the pension trustee consist of processing which requires the “regular and systematic monitoring of individuals on a large scale”. Given that the pension trustee will monitor the data of its members, it is likely that pension trustees will be required to appoint a data protection officer who must have the appropriate expertise to perform the role.