Friday Highlight  

Four areas for action under GDPR

Four areas for action under GDPR

The General Data Protection Regulation (GDPR) comes into force in May 2018 and is a unifying European regulation.

Applying directly in all EU member states, it aims to strengthen the rights of individuals over their personal data and how it is protected and used.

It’s replacing the UK Data Protection Act and the May 2018 implementation means no Brexit get out.  

Article continues after advert

Sanctions for breaching GDPR will be much heavier than under the Data Protection Act – up from a maximum of £500,000 to €20m (£17.5m), or 4 per cent of annual worldwide turnover if greater. 

Despite this, a recent survey by Compeer for technology provider Iress among senior IT staff collectively responsible for £100bn of assets under management, found that nobody was very confident of completing the work needed for compliance with GDPR by May 2018. And 38 per cent admitted they will struggle.

So, what is changing under GDPR and what does that mean for the pensions industry and any field involving data?

The Information Commissioner’s Office will continue to oversee data protection in the UK under GDPR. 

The ICO website holds a lot of useful guidance on what’s changing and suggestions for tackling it. 

The four areas likely to need action are: the data held by companies; capturing consents; supporting strengthened individual rights; and responding to data breaches.

1) Data

To ensure compliance with GDPR, you will need to know exactly what data you have, where it came from, who you’ve shared it with and if it counts as sensitive in GDPR terms. 

Individuals are being given the right to know where you got their data from and you’ll have to tell anyone you share data with about any changes you make to it.  

A data audit is a sensible first step here. 

A pension scheme may use a database, but what else is out there? Think about paper files, historic data on microfiche and old spreadsheets. 

It’s also essential to make sure data is accurate as part of this, with any inconsistencies deleted or corrected – an approach that also ties in with the Association of British Insurers and The Pensions Regulator’s own view on the standard of data accuracy and quality, more broadly.

A core component of the GDPR revolves around giving a legal basis for processing data, for example by obtaining customer ‘consent’. 

Requirements for capturing customer consent are much stricter under GDPR. The standard is specific consent and an individual can also withdraw that consent at any time and ask to be forgotten. 

In that case – unless you can make a case under allowed exemptions that you need to keep it, say to meet a later claim – their data must be deleted. 

How will this be supported across the supplier chain?

It may be possible to argue that you don’t need specific consent if you, as data controller, have a legitimate interest in processing individual data, for example to administer your pension scheme.