On 25 May 2018 – one year from today - the General Data Protection Regulation (GDPR) will come into force, placing new duties on anyone whose activities require them to hold data about identifiable living individuals. The GDPR will also greatly increase the fines which may be levied for a breach (up to 20 million Euros, or if higher in the case of an undertaking, up to 4% of the preceding financial year's worldwide annual turnover). In this e-bulletin we look at key areas where action is required in relation to pension schemes.
Update contracts to make them GDPR compliant
The GDPR will require scheme trustees as "data controllers" to have contracts in place with their service providers which include specific terms to cover various data protection issues. Scheme administrators are the most obvious example of service providers who will hold membership data, but compliant contracts will also be required with the scheme's actuarial advisers, buy-in consultants, tracing agents, auditors, pension consultants etc. unless all data held is in anonymised form that does not allow identification of individual members.
Existing contracts between trustees and their service providers are very unlikely to be GDPR-compliant as they stand, so trustees will almost certainly have to agree amended contract terms before 25 May 2018. We recommend that trustees are pro-active in contacting service providers with proposed amended terms. Standard terms drafted by a service provider are likely to be weighted in the service provider's favour, potentially exposing trustees to significant liability.
When updating for GDPR compliance, trustees may want to take the opportunity to review their administration contracts more generally. Service contracts with administrators are particularly key, as they effectively govern who bears the risk of things going wrong as a result of an administration error.
Consider use of industry-wide standards
The GDPR recognises the role of industry standards and certification mechanisms, so trustees may wish to ask their administrators whether they comply with these and, if so, specify the need for compliance in the terms of the contract.
Update Fair Processing Notices
The GDPR sets out additional information which must be included in "fair processing notices", the information which a data controller has to give to an individual regarding the data it holds. We recommend that trustees provide members with updated fair processing notices before 25 May 2018. Preparing revised fair processing notices well in advance of the deadline will hopefully enable them to be coordinated with other member communications.
Put a Cyber-security Policy in place
The GDPR requires trustees to be able to demonstrate that they are compliant with the data protection principles set out in the GDPR, including putting in place measures to ensure an appropriate level of security for the data being processed. Putting in place an appropriate cyber-security and data protection policy is important both from the point of view of focussing trustees' minds on this issue and being able to demonstrate compliance. Trustees need to consider both the standards which they will require of their administrators and also their own procedures for sharing data, e.g. how are meeting packs shared and do they contain more personal data than is strictly needed? If scheme data does get into the wrong hands, the trustees could be legally required to report the breach to the Information Commissioner, who may ask for details of relevant policies when deciding what level of penalty to impose.
Trustees may also need to review and update their risk registers to address GDPR compliance.
Trustees should consider whether the terms of any existing trustee liability insurance will cover them against liability for a data breach.
Review member literature and websites
Trustees should make sure that the wording of existing sources of member information such as booklets and websites is GDPR compliant. For example, references to a £10 fee being chargeable for a data subject access request will no longer be appropriate, as the GDPR requires data to be provided free of charge on a first request.
Though many of the issues highlighted here are trustee issues, the GDPR can also raise employer issues, e.g. is the employer also a party to the administration contract, meaning that the employer's agreement will be required to vary it? As ultimate funder of the scheme, the employer may end up bearing the cost of data protection compliance failures.
If the employer is asking trustees to share membership data with it for its own purposes (eg because the employer wishes to carry out a liability management exercise) this also needs to be considered from a data protection perspective, particularly because the GDPR imposes stricter standards as to what amounts to "consent" from an individual, as well as allowing much higher fines where data protection law is breached.
A year may seem a long way off, but planning for the GDPR now may save money in the longer term, for example by enabling updated fair processing notices to be incorporated into broader member communications. Agreeing GDPR compliant terms with service providers now will put trustees in a stronger negotiating position than waiting until the last minute.