The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. We answer GDPR FAQs for pension trustees.
Below are the most frequently asked questions we have received from trustee clients as we work with them to ensure their compliance with the GDPR. If your question does not appear or you would like assistance with your GDPR compliance project, please contact Catrin Young who is leading on our GDPR project for pensions trustees, Alice Honeywill or your usual pensions contact.
We are working with many trustees on GDPR at the moment and have fixed price packages and template documents available to help, and can also provide training.
- What is “personal data”?
- What constitutes “processing” of data?
- What do trustees need to do to be GDPR compliant?
- Which providers are likely to be data processors in relation to a scheme? What steps should we take in relation to them?
- Will any advisers to the trustees be data controllers and, if so, do we need to send them a data processing questionnaire?
- Who else should we write to?
- What is the trustees’ legal basis for processing personal data?
- Do trustees need consent to process special category personal data?
- How long can trustees retain data for? Does that change if a member exercises his right to erasure?
- Do trustees need to appoint a data protection officer?
- When could trustees be required to conduct a privacy impact assessment?
- Should trustees worry about cyber security?
- What safeguards are required when processing personal data outside the EEA?
- Do we need our lawyer to review our new GDPR compliant administration agreement or addendum?
- If a scheme is wound up, is GDPR still relevant?
- How will fines for breaches of GDPR by trustees be assessed?
- Can trustees insure against GDPR breaches?
1. What is “personal data”?
Personal data is defined under GDPR as any information relating to an individual from which they can be identified, directly or indirectly, or from which, with other information, they can be identified.
Identifiers may include a member’s name, address, date of birth, an identification number such as a National Insurance number, health data, an online identifier or one or more factors specific to the physical, psychological, mental, economic, cultural or social identity of that member. It makes no difference where the data is held, e.g. whether it is in a computer database, on emails, or on paper in a filing system of such a type that the data is readily obtainable. It will still be personal data and must be processed in accordance with the requirements of the GDPR.
Be aware of anonymised or pseudonymised data sent to insurers for buy-in or buy-out pricing purposes as the data may still constitute personal data if the information could be pieced together to identify individuals. The trustees should ensure they enter into a data sharing agreement before sharing the data and ensure that sharing data with prospective insurers is listed as one of the ways in which member data could be processed in a fair processing or privacy notice issued to members.
2. What constitutes "processing" data?
Under GDPR, data processing covers any operation that is performed on personal data including storage, retrieval, consultation, use or otherwise making data available to someone. Trustees and advisers need to take extra care when accessing personal data outside the EEA via their smartphone or laptop, or if back-up servers containing personal data are held outside the EEA. If any of these activities take place outside the EEA, the trustees will need to ensure the additional safeguards required by GDPR are in place or consider prohibiting the processing of such personal data outside the EEA.
3. What do trustees need to do to be GDPR compliant?
As a minimum, trustees should:
- conduct a data audit to identify what personal data is held in relation to the scheme, where it comes from and which individuals or entities it is or was shared with
- issue members and beneficiaries with a fair processing or privacy notice which sets out, among other things, members’ rights under GDPR and how to exercise them
- prepare an internal data protection policy to demonstrate accountability on GDPR to members, beneficiaries and the Information Commissioner's Office (ICO)
- ensure they have GDPR compliant contracts in place with all their data processors by 25 May.
4. Which providers are likely to be data processors in relation to a scheme? What steps should we take in relation to them?
The GDPR defines data processors simply as those who process personal data on behalf of the data controller i.e. the trustees. Those who process data controlled by the trustees could include:
- scheme administrator
- scheme employers (including if administering pensions payroll or providing pensions secretarial support)
- AVC providers
- annuity providers
- insurers including in respect of buy-in policies and life assurance policies
- external payroll providers
- track and trace agencies
- fraud detection agencies.
An interesting point to note is that ICO guidance states that Royal Mail is not considered to be either a data controller (as it does not determine the purpose and processing of personal data) or a data processor (as it does not process data on behalf of the data controller). Trustees who use Royal Mail to send personal data are liable for its security.
GDPR requires trustees to conduct due diligence on their data processors to ensure that they implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in respect of their processing of personal data. Many trustees have been working on this by sending questionnaires to their data processors.
As of 25 May, trustees will not be permitted to use data processors that do not provide sufficient guarantees to implement security measures that meet the requirements of the GDPR and ensure the protection of the rights of the data subjects. As such, many scheme administrators and other providers have been asking trustees to sign new GDPR compliant agreements or an addendum to the trustees’ existing agreement.
Where there is no existing written contract, one should be put in place to cover at least the data protection aspects in order to ensure compliance with GDPR.
5. Will any advisers to the trustees be data controllers and, if so, do we need to send them a data processing questionnaire?
The ICO’s guidance confirms that it regards legal advisers as data controllers as they determine how data received in relation to an individual will be processed to allow them to enforce their legal rights. The scheme actuary will also be a data controller for the same reason. Others (for example life assurance providers, DC platform providers) may accept that they are data controllers in relation to at least some of the services provided.
Data controllers are directly responsible for compliance with the UK’s data protection regime. This direct responsibility reduces the requirement on the trustees as the data controller to conduct due diligence against their solicitors’ and actuaries’ data processing through issuing a full data processing questionnaire. Nevertheless, trustees should ask data controllers to whom they send data to confirm that they process personal data as required under the Data Protection Act 1988 (DPA) and that they are actively completing work to ensure they will be compliant with GDPR (and related UK implementing legislation) by 25 May.
6. Who else should we write to?
We recommend getting in touch with anyone who may still hold personal data in relation to the scheme, whether or not they are the trustees' current advisers. As such, you will need to contact former trustees or former directors of trustees, former scheme administrators and advisers. They should be asked to confirm that they no longer hold personal data in relation to the scheme or have securely destroyed such data.
To the extent any of them maintain they have a legitimate ground on which to retain personal data (e.g. former administrators may retain limited personal data in case of future legal claims) they should be asked to confirm the basis on which they are holding that data and be asked to complete a data processing questionnaire.
Member/fair processing notices
7. What is the trustee’s legal basis for processing personal data?
GDPR requires trustees as data controllers to document their legal basis for processing personal data, and to make that information known to the data subjects in a fair processing or privacy notice which is issued to members at the point data is collected. While the potential legal justifications remain the same as those set out in the DPA, the requirement to confirm the justification in writing to members is new.
Trustees need to be sure what their current legal basis is for holding the data that they have. There are four potential legal justifications relevant to pension scheme trustees:
- Processing is necessary for the performance of a contract to which the data subject is a party.
- Processing is necessary for compliance with a legal obligation to which the data controller is subject.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller.
- Processing is being conducted with the consent of the data subject.
Trustees will need to consider which of the above bases may be relevant to their scheme and document that legal justification in their fair processing or privacy notice. There is no restriction to the number of legal bases that trustees may rely upon.
8. Do trustees need consent to process special category personal data?
Certain types of data known as “special category personal data” (or “sensitive personal data” under the DPA) have much more restrictive rules surrounding their processing. Usually explicit consent of the data subject is required to hold and process this type of data. For pension schemes, information regarding a member's health and sexual orientation (for example if nominations of spouses/civil partners from an expression of wish form are received) would fall within this category.
The Data Protection Bill (which will repeal the DPA and provide for certain domestic derogations from the GDPR) contains a useful derogation from the GDPR. If implemented, the derogation will permit trustees to process special category personal data without member consent, provided the trustees have an enforceable data protection policy in place. The data protection policy will need to set out how data is retained and erased, and will need to record the fact that the trustees are relying on the exemption.
9. How long can trustees retain data for? Does that change if a member exercises their right to erasure?
Among other statutory requirements on retention of pension records, pension trustees are required under the Occupational Pension Schemes (Scheme Administration) Regulations 1996 to keep records for six years from the end of the scheme year to which they relate. In practice, pension records will be kept for considerably longer than six years.
Owing to the long term nature of pension schemes, it is arguable that trustees may be able to retain personal data for as long as the member's pension, and any pension in respect of him, is payable and for such time after that as may be necessary to defend any legal claims, i.e. potentially for up to 15 years following the winding-up of the scheme.
The right of erasure or the right to be forgotten is one of the most talked-about innovations of GDPR. It provides a member with the right to request the deletion or removal of their personal data, including information published or processed online. It is not, however, an absolute right. Individuals only have a right to have their personal data erased in certain circumstances. Some of the grounds that will be relevant for pension trustees are:
- that the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- that the individual has withdrawn their consent and such consent was the only legal basis on which the data controller was entitled to process the data (hence the importance of establishing and documenting a ground other than consent for processing data)
- that the individual has objected to the processing and there is no overriding legitimate interest for continuing the processing.
Trustees can refuse requests for members' data to be deleted in certain situations. The two main examples where data can be retained in a pensions context are:
- to comply with a legal obligation (e.g. where trustees are under a statutory requirement to retain data for a specified period such as the six year period discussed above)
- for the exercise or defence of legal claims. Even in cases where a member has transferred his benefits out of the scheme the trustees could face a claim which gives them a legal basis upon which to retain data relating to such members. Trustees should consider placing such data in an archive, to which access is limited, to reduce the risk of any data breaches occurring. However, such data is still personal data and so the data protection principles will still apply.
Internal data protection policy
10. Do trustees need to appoint a data protection officer?
The GDPR requires the following types of organisation to appoint a Data Protection Officer (DPO):
- all public sector organisations
- organisations whose core activities require regular and systematic monitoring of data subjects on a large scale
- organisations whose core activities require the processing of special category data and data relating to criminal convictions and offences.
Processing of special category data and data relating to criminal convictions and offences is unlikely to be a core activity for pension trustees. Our view, therefore, is that trustees will not be required to appoint a DPO but may choose to do so on a voluntary basis, for example if there is a DPO within the sponsoring employer group who is willing to take on the role.
The person appointed could (as a minimum) be responsible for keeping up to date on data protection law; ensuring data protection policies and procedures are up-to-date, and maintaining data protection as an identified item on the trustees' risk register. If someone is appointed on a voluntary basis, be aware that it may be better not to designate them as a DPO as even giving them the job title could mean they have the duties and rights pertaining to the role under the GDPR. It would therefore be sensible to create a different title for the individual.
If trustees decide that they are not required (or do not want) to appoint a DPO, we recommend that they document the reasons for their decision to satisfy the accountability requirement of GDPR.
11. When could trustees be required to conduct a privacy impact assessment?
Where any processing is using new technologies or likely to result in high risk to rights and freedoms of members, data controllers are required prior to processing to carry out data protection impact assessment. Privacy impact assessment is a process that helps an organisation to identify and reduce the privacy risks of a project. ICO has developed a Code of Practice (PDF) under the DPA on conducting a privacy impact assessment, which is in the process of being updated to take account of the GDPR.
The ICO indicates that processing that is likely to result in a high risk includes (but is not limited to):
- systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals
- large scale processing of special categories of data or personal data relation to criminal convictions or offences.
While it is unlikely that a privacy impact assessment will be needed where trustees are implementing a change in administration systems, certain employer-led de-risking exercises could trigger the obligation for trustees to conduct such an assessment. Examples include where the employer wishes to conduct an enhanced transfer value exercise, pension increase exchange exercise or wants to complete a buy-in or buy-out of the benefits of a certain class of beneficiary on the grounds of their health.
12. Should trustees worry about cyber security?
GDPR does not prescribe how data controllers should address the risks posed by cyber security. It does, however, state that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
Items to consider include pseudonymisation and encryption, ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore data in the event of a physical or technical incident and a process for regularly testing and evaluating the effectiveness of any measures.
The Pensions Regulator has also, of course, highlighted cyber security as a key risk for pension trustees. While reviewing their data protection policies to ensure compliance with GDPR, trustees should also document their processes to protect the security of members’ personal data and work closely with their administrators and sponsoring employers to understand the risks and the processes and measures that are in place to help counter those risks.
It is clear from GDPR that there is an expectation to move with the times as technology develops. Think of the technological advances and changes we have seen since DPA was introduced in 1998! It is essential, therefore, to keep policies and procedures under regular review.
Third party contracts
13. What safeguards are required when processing personal data outside the EEA?
As with the DPA, transfers within the EEA or within a country on the EU Commission’s list of countries or territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data is permissible without any additional safeguards. Currently this list includes Canada, Switzerland, Argentina, Guernsey, Jersey and the Isle of Man.
Transfers to the US have proven to be problematic in the past as in 2015 the European Court found the US' Safe Harbour measures did not offer adequate protection for the rights and freedoms of data subjects. They are now, however, back on the approved list having agreed replacement measures known as the Privacy Shield, which is a way in which US organisations can self-certify they comply with data protection laws.
Trustees who wish to transfer or access personal data from the US will need to check if the recipient organisation is signed up to the Privacy Shield. If they are not, or the trustees wish to transfer data to a country outside the EEA or the European Commission's acceptable list, they will need to enter into a data sharing agreement based on EU Model Clauses.
Trustees’ fair processing or privacy notices must also inform members if there will be any data transfers outside the EEA and the safeguards in place to ensure that where such transfers take place to ensure the data is processed in accordance with EU law.
14. Do we need our lawyer to review our new GDPR compliant administration agreement or addendum?
In a word; yes. The administration agreement governs the relationship between the trustees, as data controllers, and their third-party administrators as data processors. It acts as a binding data processing agreement and, as such, GDPR dictates a list of items that must be included in the administration agreement. For example, personal data must only be processed in accordance with the data controller’s instructions; obligations on the data processor to notify the data controller without undue delay in event of a data breach; and obligations to ensure that the data processor either returns or deletes the personal data once the provision of services has ended.
Failure to have a compliant data processing agreement in place with any third-party vendor is a breach of GDPR which opens up the possibility of sanctions imposed by the ICO.
The significant increase in the fines that can be levied by the ICO for non-compliance is likely to cause a review of liability limitations within administration agreements. As third-party suppliers (such as pension administrators) can now face direct liability under GDPR, as data processors, it is expected that administrators will attempt some negotiation of the liability and indemnity clauses in the administration agreement. We are starting to see some early drafts of administration agreements and whilst most have been GDPR-compliant, they are not always commercially favourable for trustees.
15. If a scheme is wound up, is GDPR still relevant?
Potentially, yes. GDPR should still be considered since even following the wind-up of a pension scheme, some personal data is retained in case of future legal claims and to meet regulatory requirements.
Individual trustees are advised not to keep any personal data once wind-up is complete or there is a risk (subject to the terms of any insurance policy and/or employer indemnity) that they could be found personally liable under the GDPR if there is a breach in relation to that data.
Trustees should, therefore, only keep documents such as the Deed of Termination, the insurance policies and the final accounts. Some trustees reach agreement with the sponsoring employer or scheme administrator to retain other scheme data and documents post wind-up so that they contractually assume responsibility for the data along with an obligation to give the trustees access to it if they need it to defend legal claims or provide it to regulatory authorities. Such agreements should be drafted to ensure that liability for GDPR breaches is passed to the entity storing the data. We also recommend reviewing any such agreements already in existence to ensure they are GDPR compliant.
Liability and risk
16. How will fines for breaches of GDPR by trustees be assessed?
Fines for breaches of the GDPR may be much greater than is the case at present. At the moment, the ICO only has ability to fine up to a maximum of £500,000. Under GDPR, for certain breaches the ICO will be able to impose fines of up to the higher of:
- 4% of annual global turnover; and
- €20 million.
If a scheme has individual trustees, it is likely the maximum fine will be €20 million. However, where the trustee is a corporate trustee and part of the employer’s group, there is the potential for these to be assessed on the turnover of the corporate group of the sponsoring employer.
17. Can trustees insure against GDPR breaches?
Many trustee boards take out indemnity insurance in respect of potential claims that may be brought against them in performing their role as trustees of the pension scheme. The cover provided by these policies can vary significantly with some excluding liability for regulatory fines and others including them.
Trustees should ask their legal advisers to review the terms of their indemnity insurance to see if fines imposed by the ICO are covered or whether they should increase or extend their cover in light of the increased fines that can be imposed under GDPR. Any review should pay particular attention to:
- general cover levels (some policies provide very low cover)
- the definition of loss under the policy – does it cover civil fines and penalties? Does it cover all regulatory fines or just those imposed by the Pensions Regulator?