What you need to know about data protection

  • To learn what the GDPR is.
  • To understand what steps are needed to help pension schemes get ready.
  • To ascertain what additional measures are needed to ensure compliance.
What you need to know about data protection

From 25 May 2018, the General Data Protection Regulation (GDPR) will have direct application in the UK.

Trustees and advisers of UK pension schemes will need to be fully compliant, or risk hefty fines (up to €20m or 4 per cent of the total worldwide annual turnover if higher).

But what are the issues the trustees of UK pension schemes need to consider, and what should corporate advisers be highlighting to them about GDPR? 

Article continues after advert

It is unlikely that all pension schemes will achieve full compliance by the deadline, but since the fundamental principle underlying the GDPR is about minimising the risk of harm to data subjects, that should be the trustees’ focus.

Generally speaking trustees need to assess the risks to their scheme members and if they cannot amend their systems to achieve full compliance, mitigate those risks as best they can.

Here are 10 issues to consider now to help scheme reach compliance. 

Issue 1: mapping data

Many trustees have given only limited thought to where their members’ data goes, and how it is secured.

Before trustees can make useful progress in their quest to comply with the GDPR, they should begin assessing where their members' data goes and why.

Clearly trustees will need to share their members' data with the scheme administrator, and the scheme actuary but other parties also need to be considered.

For example, the scheme's lawyers often receive personal data (sometimes when it is unnecessary), in some cases feasibility studies for particular investments are untaken and personal data is passed across to benefits consultants for this purpose.

Insurers and reinsurers offering longevity hedges will need access to personal data for the purposes of pricing a particular portfolio. This should also be considered from the trustee board's perspective as well.

How much personal data does the board received, and what are the technical and organisational measures taken to ensure the integrity of that data?

Issue 2: an updated data protection policy

The principle of 'accountability' underpins the GDPR. It is no longer enough to simply comply, you must show how you have complied.

A robust data protection policy will help to illustrate that. The process of determining what needs to be included in the policy will assist in drawing out areas that need focus. It is unlikely that the policy will be able to be finalised until much of the GDPR compliance project is complete. 

Issue 3: consider lawful processing basis

A scheme cannot process personal data under the GDPR without a lawful basis, for example having the consent of the data subject. The most helpful basis for ongoing scheme business is likely to be the following:

“Processing is necessary for compliance with a legal obligation to which the controller is subject” .

Helpfully, a “legal obligation” is not expressly limited to statute. The common law legal obligations on trustees open up the scope of this provision.