WHAT IS THE GDPR

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and will apply to data controllers and processors. The GDPR will replace the Data Protection Act 1998 and will continue to apply after Brexit as the UK will be implementing a Data Protection Bill.

DEFINITIONS

Data Controllers - determine what the processing of personal data is used for and how it is processed. Trustees and possibly scheme actuaries will be the data controllers.

DPA - Data Protection Act 1998

ICO - Information Commissioner's Office

Personal data - information relating to an identified or identifiable living person which is processed by automated or manual means.

Data Processors - carry out the processing of personal data on behalf of the data controller. Processing includes the collection, recording, organisation, storage, erasure and destruction of data. Administrators will be one of the main processors of scheme personal data.

Special categories of data - replaces the term sensitive data in the DPA and includes personal data regarding health, sexual orientation and race.

KEY CHANGES

Obtaining consent. Consent must be explicitly given and requires a clear, affirmative action. It must be just as easy to withdraw consent as it is to give it. Silence, pre-ticked boxes or inactivity will not constitute consent.

Data breach notification. Where the breach is likely to result in a risk to the rights and freedoms of the individual, the timescale for reporting the breach to the ICO is 72 hours. The individual must also be notified without undue delay.

Demonstrate compliance. Detailed records should be kept noting the processing activities which must be given to the ICO on request.

New rights for individuals. This includes the right to be forgotten. This is not an absolute right however an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Subject access requests. Timescales will be one month. In addition, the 10 fee for making such a request has been removed unless the request is excessive or manifestly unfounded.

Data processors will be directly accountable along with data controllers and can be fined in the same way.

PRINCIPLES OF PROCESSING

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

WHAT IS YOUR LEGAL BASES FOR PROCESSING PERSONAL DATA

1 Consent

2 Legitimate interests of data controller

3 Comply with legal obligation

4 Performance of a contract

5 Protect interests of the individual

6 Public interest

FINES FOR FAILURE

The fines under the GDPR have increased. For procedural breaches the maximum fine is €10million or 2% of annual global turnover (whichever is higher). For serious breaches the maximum fine is  €20million or 4% of annual global turnover (whichever is higher).

KEY ACTIONS

PLAN

  • Include GDPR as a trustee agenda item and obtain advice on GDPR compliance
  • Start engaging with third parties to review service agreements

ASSESS

  • Carry out a data mapping exercise
  • Consider legal bases for processing personal data - do not rely on consent unless necessary

UPDATE

  • Update security systems, data protection protocols and procedures to minimise risk and demonstrate compliance
  • Update member communications and service agreements