Applying directly in all EU member states, it aims to strengthen the rights of individuals over their personal data and how it is protected and used.
It’s replacing the UK Data Protection Act and the May 2018 implementation means no Brexit get out.
Sanctions for breaching GDPR will be much heavier than under the Data Protection Act – up from a maximum of £500,000 to €20m (£17.5m), or 4 per cent of annual worldwide turnover if greater.
Despite this, a recent survey by Compeer for technology provider Iress among senior IT staff collectively responsible for £100bn of assets under management, found that nobody was very confident of completing the work needed for compliance with GDPR by May 2018. And 38 per cent admitted they will struggle.
So, what is changing under GDPR and what does that mean for the pensions industry and any field involving data?
The Information Commissioner’s Office will continue to oversee data protection in the UK under GDPR.
The ICO website holds a lot of useful guidance on what’s changing and suggestions for tackling it.
The four areas likely to need action are: the data held by companies; capturing consents; supporting strengthened individual rights; and responding to data breaches.
1) Data
To ensure compliance with GDPR, you will need to know exactly what data you have, where it came from, who you’ve shared it with and if it counts as sensitive in GDPR terms.
Individuals are being given the right to know where you got their data from and you’ll have to tell anyone you share data with about any changes you make to it.
A data audit is a sensible first step here.
A pension scheme may use a database, but what else is out there? Think about paper files, historic data on microfiche and old spreadsheets.
It’s also essential to make sure data is accurate as part of this, with any inconsistencies deleted or corrected – an approach that also ties in with the Association of British Insurers and The Pensions Regulator’s own view on the standard of data accuracy and quality, more broadly.
A core component of the GDPR revolves around giving a legal basis for processing data, for example by obtaining customer ‘consent’.
Requirements for capturing customer consent are much stricter under GDPR. The standard is specific consent and an individual can also withdraw that consent at any time and ask to be forgotten.
In that case – unless you can make a case under allowed exemptions that you need to keep it, say to meet a later claim – their data must be deleted.
How will this be supported across the supplier chain?
It may be possible to argue that you don’t need specific consent if you, as data controller, have a legitimate interest in processing individual data, for example to administer your pension scheme.
That may not work for sensitive data though, where requirements are much stricter.
However, help may be at hand via the Data Protection Bill. In its current draft form, this bill gives an exemption to the consent requirement for pension schemes in certain situations.
Schemes may wish to monitor developments in the Data Protection Bill and consider getting advice on their situation.
The rules around privacy notices and communicating how data is processed are more involved under GDPR too. More information must be included.
They must also be concise and written in clear, plain English. You may need to issue updated privacy notices before May 2018.
That’s not long, especially if you want to send them out with something already scheduled – a summary funding statement for a pension scheme perhaps.
And last, but not least, if pension schemes are relying on consent then they must also make sure that this consent is documented.
2) Individuals’ rights
As well as the right to withdraw consent and be forgotten, GDPR also gives a right to data portability.
Individuals can ask to have data transferred between one data controller and another in a standard electronic format. Once again, the accuracy of the data will be key to successful transfers of this kind.
There are changes for subject access requests too. In most cases, you will no longer be able to charge anyone who asks to see the data you’ve got about them (£10 is allowed today) and the timescales for providing the data are reduced.
3) Data breaches
The recent WannaCry ransomware attack was another reminder to many of the need to take cyber security seriously and be prepared for cyber crime, from which data breaches often stem.
Should the worst happen, under GDPR there will be just 72 hours to notify anyone who is potentially impacted by a data breach.
That needs to be factored into your business continuity planning and make sure you are clear who will be responsible for doing what if a breach occurs, especially if you work with multiple service providers.
4) Start lining up your data ducks
With only seven months to go until implementation, the clock is ticking on GDPR.
If businesses don’t already have an action plan in place, the time to get started is now.
Good data protection practices make good business sense in any case. As does managing the risk of a fine of up to €20m.
Actions to consider:
- Carry out an information audit and gap analysis
- Get advice on your situation from a reliable source
- Review member consent and privacy notices
- Review data security and establish a data breach response plan
- Review contracts with service providers
A handy list of questions for suppliers:
- What are you doing to comply with GDPR?
- Have you a plan for compliance and how do 'I' fit into it?
- What is your cyber security policy and when was it last tested?
- How do you store and transfer member information?
- Where is this logged, and when is it reviewed?
- How can you identify a data breach?
Duncan Howorth is executive chairman for data services specialist ITM
