General Data Protection Regulation (GDPR) will significantly change the current data protection obligations of pension scheme trustees as “data controllers” and it is no longer possible for trustees or third party service providers who process data on behalf of the trustees “data processors” to take a passive approach to the issue. Trustees must keep records and policies setting out how they comply with GDPR and keep compliance under review.
The sanctions for non-compliance have increased enormously from the current cap of £500,000. Fines for minor breaches are now capped at 10 million euros or 2% of global group turnover if greater, and fines for fundamental breaches are capped at twice those amounts. It remains unclear how corporate trustees that are part of the employer’s group will be treated for global turnover purposes.
Data mapping and data security
Trustees should fully understand the data processing activities carried out by the pension scheme and keep records of them and how they comply with GDPR. Trustees will need to understand why data is being collected, how, when and where (inside the EAA or outside) it is being processed and whether the processing is proportionate and necessary. There is also an increased focus on security of data.
We can provide a data mapping questionnaire to assist with this “data mapping” but it is likely to be a substantial exercise and your scheme advisers may also be able to help. You may wish to consider the use of specialist providers of data mapping and cyber security services and we can provide you with contact details if helpful.
Review and update policies and procedures
Put in place GDPR compliance policies and procedures. Existing policies are unlikely to be adequate particularly in view of new obligations to report breaches and take action sometimes in short timescales. In addition, individuals are going to have stronger rights under GDPR and Trustees will need to document how these will be dealt with. These new rights include a right of subject access, where an individual can request information about the personal data held about them, how it is held and who has access among other matters.
Determine, record and communicate the grounds on which data is processed
Consider the grounds on which data is being held by the scheme. Once the data mapping is complete Trustees should consider the ground on which they are processing data and record it. Members must be written to prior to 25 May 2018 to explicitly tell them which ground is being used. If consent is currently being relied upon, new consents will be necessary and in any event this may no longer be appropriate under GDPR because consent can now be withdrawn. The processing of sensitive personal data (race, ethnicity, health, sexual orientation) will require consent or reliance on specific derogations.
Review current communications with members on data protection
Existing privacy (fair processing) notices will need to be reviewed where currently in place and new or updated notices that contain a number of core pieces of information now required by GDPR may be required. In addition, wording in standard documents (such as application forms or expression of wishes forms) may need to be updated to ensure full compliance. Consideration should also be given to forms sent to other beneficiaries of the scheme, such as dependants.
Review and renegotiate existing third party service provider contracts
For the first time data processors are also required to comply with certain data protection obligations and Trustees (as data controllers) are required to ensure that such third parties have adequate procedures in place. GDPR requires certain specific matters to explicitly dealt with in contracts. In addition, as third parties can now become jointly liable for data protection fines, liability and indemnity clauses will need to be carefully reviewed.
What should Trustees do now?
Trustees should start talking to their pension scheme advisers (lawyers, actuaries, administrators etc) about GDPR and how best to manage the compliance process. It may be appropriate to add GDPR compliance as a standing item on meeting agendas and even delegate the issue to a sub-group of Trustees. Some sponsoring employers may have data protection teams able and willing to help.
We are also here to help you ensure compliance. We can assist with the analysis of processing grounds and advise on the requirements and derogations for sensitive personal data, as well as review current member communications, draft and review policies and procedures and carry out contractual reviews.