PensionsAug 1 2017

What you need to know about data protection

  • To learn what the GDPR is.
  • To understand what steps are needed to help pension schemes get ready.
  • To ascertain what additional measures are needed to ensure compliance.
  • To learn what the GDPR is.
  • To understand what steps are needed to help pension schemes get ready.
  • To ascertain what additional measures are needed to ensure compliance.
pfs-logo
cisi-logo
CPD
Approx.30min
pfs-logo
cisi-logo
CPD
Approx.30min
twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
pfs-logo
cisi-logo
CPD
Approx.30min
What you need to know about data protection

A scheme cannot process personal data under the GDPR without a lawful basis, for example having the consent of the data subject. The most helpful basis for ongoing scheme business is likely to be the following:

“Processing is necessary for compliance with a legal obligation to which the controller is subject” .

Helpfully, a “legal obligation” is not expressly limited to statute. The common law legal obligations on trustees open up the scope of this provision.

For example, trustees could seek to rely on the common law obligations to carry out the terms of the trust, to act for a proper purpose and to act fairly between all beneficiaries.

A second basis for processing member data might be the following: 

“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.”

It is worth noting that this allows processing for the purposes of the legitimate interests of a third party, for example the employer, but it is subject to balancing the interests of the data subject.

In practice, the trustees should take a moment to consider the position before processing on this basis.

This limb is likely to be useful when sharing the members’ personal data for the purposes of exercises proposed by the employers, for example when doing enhanced transfer value exercises or asking experts to consider the demographics of the membership for the purposes of finessing the valuation assumptions. 

Issue 4: fresh privacy notice

There are new obligations on data controllers to provide more comprehensive, clear and specific information to data subjects on the commercial uses of their data, and their rights.

While the obligation to provide this information triggers when the information is collected from a member, trustees will want to send out fresh privacy notices to all members in advance of 25 May 2018.

The alternative is setting up a system where every time a new piece of personal data is collected from a member, a fresh privacy notice is sent out until all members have received it.

The content of these notices will be fairly standard, but will require some scheme specific thought as well.

A failure to set out all potential uses of the members’ data could mean needing to send out a second notice in quick succession, for example if member data is going to be used to tender for a buy-in or to undertake a health study of the members.  

Issue 5: ‘special categories’ data

PAGE 2 OF 4