As mentioned in our summer newsletter, the General Data Protection Regulation (GDPR) will take effect in the UK and across Europe on 25 May 2018 and replace the current UK Data Protection Act 1998 (DPA). In August, the Government also confirmed that it will enact a Data Protection Bill to bring the GDPR into UK law, meaning that it will continue to apply regardless of the outcome of Brexit negotiations.
The GDPR imposes much more prescriptive obligations on organisations in terms of how personal information is used. While May 2018 might seem like a long way off, the nature of the obligations under GDPR mean that trustees and employers should be considering the steps they need to take to comply now, particularly in light of the significant new penalty regime and reputational damage that could arise as a result of non-compliance issues, including data security incidents.
What does this mean for trustees/employers?
The GDPR will apply to all personal information processed by pension scheme trustees and employers. Trustees will hold personal information relating to members of a pension scheme (for example name, contact details, details of scheme benefits and salary information) and also relating to dependants/beneficiaries. Employers will also hold details about scheme members and other employment information relating to them. For some large employers and pension schemes, this could amount to a significant volume of personal information.
We have set out below a number of issues under GDPR that are likely to be particularly relevant to the administration of pension schemes:
- Contracts with administrators and other third parties: The GDPR requires certain provisions to be included in all contracts where one party processes personal information as a data processor on behalf of another party, who is a data controller. It also requires two parties who process personal information together as joint data controllers to set out in writing each party's responsibilities for the joint processing and to make the details of the arrangement available to individuals. Existing contracts, for example, with scheme administrators and payroll providers should be reviewed to identify whether they are data processor or joint data controller arrangements. Such contracts should be amended where necessary to include GDPR compliant provisions. New contracts which may extend beyond 25 May 2018 should also be drafted to comply with these requirements.
- Cross-border transfers: Where personal information is being transferred, accessed from or stored outside the EEA, the GDPR requires that certain protections are put in place for such transfers. These transfers may occur, for example, where scheme members are employed by a company that is part of an international group and employee data is shared between those companies, or where pension scheme trustees engage a service provider who hosts or accesses personal data from outside the EEA. This could include certain cloud storage providers or IT service providers. Trustees and employees should identify where cross-border transfers occur and consider how these transfers comply with GDPR requirements. This may include, for example, taking steps to put in place model EU data processing or data controller contractual clauses if non-compliance issues are identified.
- Accountability: The GDPR requires organisations to "demonstrate" they comply with the GDPR. Trustees and employees will need to update their policies/procedures to reflect specific obligations they have under GDPR (for example to reflect how certain breaches of the GDPR would be notified to the Information Commissioner's Office). Certain organisations, including employers with more than 250 employees, will also need to keep detailed records of how they use personal information, including third parties with whom it is shared and countries to which it is transferred.
- Consent: Consent from an individual is one of the legal bases on which pension scheme trustees or employers may be entitled to use personal information. Where they rely on an individual's consent, that consent must comply with the new, more stringent, requirements of GDPR. Trustees and employers will need to consider these new requirements where they plan to rely on consent for a particular activity, for example, member consent in relation to a risk management exercise. They will also need to consider whether they can continue to rely on any existing consents they have obtained or whether there is another legal basis under the GDPR for using personal information. If they do need to rely on consent and any existing consents do not comply with GDPR, they will need to obtain new consents.
In addition to the issues highlighted above, for employers, the GDPR is likely to have a much broader impact as they will need to consider the requirements in light of all personal information they hold in relation to employees, customers and suppliers.
Does it matter?
The potential fines for non-compliance will increase significantly from the current maximum of £500,000 to an eye-watering maximum of £17million or 4% of global turnover (whichever is higher) depending on the type and severity of the breach. Data security breaches tend to be widely reported in the media and any negative publicity associated with GDPR non-compliance could also cause significant reputational damage.
Whilst the GDPR includes a number of significant changes to the current data protection legal framework, many of the requirements reflect current best practice or are an extension of compliance with the DPA. However, some of the new requirements may, from a practical perspective, take time to implement. Given the volume of personal information that may be processed in relation to members of some pension schemes, it is especially important trustees and employers consider how GDPR may affect them and begin to prepare and implement the new requirements as soon as possible.
It can take time to implement a GDPR compliance project and we would recommend adopting a well thought out compliance strategy which is implemented in a controlled and measured way over the next nine months, rather than trying to rush things through in the weeks immediately before 25 May 2018.