Prior to the GDPR compliance deadline of 25 May 2018, trustees and their advisors undertook the preparatory work necessary to ensure complaint arrangements were in place, in good time, ahead of the deadline. Over one year post the deadline, however, the focus should have switched to maintaining compliance with the ongoing requirements of the GDPR regime. We outline below key items that pensions trustees should keep on their agenda to ensure continued compliance with the GDPR.
1. GDPR & IORP II
Ireland, having failed to transpose IORP II ahead of last January's deadline, has yet to publish the necessary transposing legislation and related guidance. However, upon transposition, IORP II will require trustees to issue an annual benefit statement to all members (including deferred members). In preparation for this new requirement, trustees, as controllers of the personal data collected from scheme members, must consider addressing the GDPR risks attached to complying with the new requirement. GDPR principles related to data accuracy, integrity and confidentiality are particularly important in this context as data held by many schemes on deferred members could be out-of-date. In anticipation of this new IORP II requirement, many schemes have begun carrying out a "data cleanse" or "data verification" exercise. This involves contacting deferred members to confirm their current contact details and email addresses and removing any inaccurate or out-of-date contact details.
2. Updating privacy notices
Trustees will likely have already issued members with a data privacy notice, setting out the requisite details related to the processing of their personal data. However, in the event of a change in circumstance impacting the notice issued, e.g. a different lawful basis is to be used; the purpose for processing member data has changed; additional data is collected, the retention period is extended, or data is to be processed by a new data processor, an updated privacy notice or "just in time" notice should be sent to scheme members.
Ideally, the updated privacy notice should issue before the new processing takes place/change takes effect. Also, in the event the personal data was not collected by trustees directly from the members, the notice should be sent within 1 month or as soon as possible thereafter. A practical approach may be to include the updated privacy notice with annual benefit statements. However, trustees would need to consider the length of time between the changes taking effect and the issuance of statements and assess whether a separate (earlier) communication is required to ensure members are advised in compliance with the requirements.
3. Data breach management
Some trustees have had to grapple with suspected or actual data breaches in the last year. Trustees should have a Data Breach Policy in place that sets out a breach response plan and consideration should be given, in light of any such crises, to reviewing the robustness of the breach response plan. In any event, trustees should consider undertaking test runs to ensure the adequacy of the breach response plans and their ability to manage a crisis and mitigate risks for members.