The new European General Data Protection Regulation (GDPR) will come into force throughout the EU on 25 May 2018. The GDPR will replace existing data protection laws throughout the EU and introduce significant changes and additional requirements that will have a wide ranging impact on UK pension schemes. As the GDPR will come into force before the UK officially leaves the EU, UK pension schemes will need to comply with its requirements. Compliance will continue to be required once the UK leaves the EU.
The GDPR – the changes that will affect your scheme
The key changes and additional requirements introduced by the GDPR are:
• European data protection law will now apply worldwide – In a significant departure from the current requirements, in addition to organisations that are established in the EU, organisations that are located outside the EU that process personal data in relation to the offer of goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will now have to comply with European data protection law. In the pensions context, this will include overseas sponsoring employers who send or receive scheme member data.
• Tougher sanctions for non-compliance – The maximum fine for a breach of European data protection law will be substantially increased to 4% of an enterprise’s worldwide turnover or EUR 20 million per infringement, whichever is higher.
• A new data breach notification obligation – Organisations will now have to notify the relevant European data protection authority (the Information Commissioner in the UK) of a breach without undue delay and where feasible within 72 hours. A notification must also be made to the individuals affected without undue delay where there is a high risk to the individuals concerned.
• New data privacy governance, data mapping and impact assessment requirements – Organisations may now need to appoint a data protection officer to be responsible for implementing and monitoring the organisation’s compliance with the GDPR, and to carry out assessments of the organisation’s data processing in certain circumstances. Organisations will now also be required to map their processing of personal data and to undertake data protection impact assessments for higher risk processing.
• A requirement to implement ‘privacy by design’ – Organisations must now take a proactive approach to ensure that an appropriate standard of data protection is the default position taken when personal data is being processed.
• Strengthening of individuals’ rights to personal data – Individuals will have the right to have their personal data removed from systems or online content (the ‘right to be forgotten’), the right not to be subjected to automated data profiling (where this would produce a legal effect), and the right to be given a copy of the personal data relating to them in a commonly used format and to have that information transmitted to another party (the ‘right to data portability’). There may be exceptions in some cases, but nevertheless organisations must determine how they will enable individuals to exercise these rights
• Enhanced requirements for the supply chain – Organisations must only use other parties to process personal data where those parties provide sufficient guarantees that they will implement appropriate security measures to satisfy the requirements of the GDPR. These service providers will now be held accountable for their own level of appropriate security, must document their processing to the same extent under the GDPR, and must obtain prior consent to employ sub-processors. Organisations will need to review and amend their contracts with these parties to address the changes in responsibilities.
Preparing for the GDPR – 10 steps your scheme should take to get ready to comply
Your scheme should take the following 10 key steps:
1. Inform the leadership and formulate a plan – Trustees and other senior management (e.g. the pensions manager) should be made aware of the changes to data protection law and how it will affect the scheme. Trustees and senior management should designate the individuals that will formulate a plan for how the scheme will implement the requirements of the GDPR. The scheme should also liaise with the sponsoring employer(s).
2. Consider whether to appoint a data protection officer – A decision should be made as to whether it is required under the GDPR or is otherwise desirable for the scheme to appoint a data protection officer who will be responsible for the implementation of the requirements of the GDPR and monitoring compliance with it. This person should act as the head of the scheme’s data protection governance structure, report directly to the trustees, and be responsible for putting controls in place to implement and monitor compliance. Schemes may be able to share a data protection officer with a sponsoring employer.
3. Map your personal data – A detailed investigation should be conducted into, and a record created of, the personal data the scheme is collecting, the purposes for which it is being processed, how it was obtained, and the parties that it is being shared with.
4. Examine the impact – The information gathered from the personal data mapping exercise should be used to assess which data processing activities must comply with the GDPR.
5. Address the risks – Data protection impact assessments should be conducted to identify and minimise the risks associated with the processing of personal data by the scheme, particularly where there are high risks to the rights and freedoms of the members and other individuals concerned by the activities that are being or are going to be carried out.
6. Review the grounds under which personal data is being processed – How, and the basis under which, personal data is being collected and processed should be reviewed to determine if any changes need to be made for this to continue under the GDPR, particularly where ‘consent’ and ‘legitimate interests’ (which are more difficult to demonstrate under the GDPR) are going to be relied upon to process personal data.
7. Update your data governance – Scheme policies, procedures and other governance controls within the scheme should be updated to detail how the scheme will practically comply with the new requirements under the GDPR. Trustees and other relevant individuals such as members of the in-house pensions or administration team should receive training on, and be regularly updated about, this.
8. Implement new compliance systems – Plans and mechanisms must be put in place to ensure that the scheme can respond to a data breach and the new data breach notification requirements, the rights to be forgotten, to data portability, to object to automated data profiling and to be provided with access to personal data, and other rights that members and other individuals can exercise in relation to their personal data.
9. Review your supply chain contracts – Contracts with service providers and other parties that the scheme shares personal data with (in particular, the administrators) should be reviewed and, where necessary, renegotiated to ensure that the scheme is appropriately supervising the manner in which those parties process personal data and that they are complying with their obligations under the GDPR.
10. Assess your international transfers – Assess the manner in which the scheme currently carries out any international transfers of personal data and whether any mechanisms for carrying out these transfers need to be updated to comply with the GDPR.