What is General Data Protection Regulation (GDPR)

New General Data Protection Regulation (GDPR) comes into force in a year’s time on 25 May 2018. Pension schemes hold large volumes of personal data and trustees need to ensure that they comply with the regulations. Penalties for non-compliance are potentially severe.

GDPR relates to regulations surrounding personal data within the European Union (EU) and will apply in the UK, which will still be a member of the EU at that time. It applies to trustees as data controllers and their advisors and administrators as data processors. Personal data includes for example an individual’s name, address, date of birth, salary information and IP address. Personal information held by pension schemes may be of interest to those, for example, wishing to commit identity fraud.

The key areas covered by GDPR are as follows: Standard des amerikanischen Verteidigungsministeriums (DoD 5220.22 M)

Stricter requirements around consent

The trustees must be able to demonstrate that individuals have explicitly consented to the processing of their data. The regulations allow consent to be withdrawn by the individual at any time. So consideration should be given to, for example, whether consent is deemed explicit or given where an individual signs up to being a member of a pension scheme. This includes information about their spouse and dependents and where members have opted out through auto-enrolment.

Privacy notices on use of data

Privacy notices provided to members detailing how their data will be used must now include information such as:

  • the purpose for which the data processing is intended
  • the recipients of the personal data
  • the period which the data will be stored
  • the various rights members have in respect of the information.
  • DoD 5220.22 M

Any communications must be easy to understand clear and plain language. Consideration will need to be given to what is included in these notices to members.

Right to be forgotten

Members can request the complete erasure of personal data in certain circumstances such as where the data is no longer necessary for the purpose it was collected. Trustees will need to consider how they deal with such requests.

Relevant and necessary

Information must be relevant and not kept for longer than is necessary. Pension schemes will typically keep information for decades and trustees will need to consider whether this is still appropriate, for example where a member has transferred out of a scheme.

Data processing contracts

Detailed contracts must be in place between the trustee and data processers, such as scheme administrators and other service providers, which will need to comply with GDPR when it comes into force. Trustees may need to amend the terms of existing contracts as well as ensuring new contracts will be compliant.

Reporting data breaches

Personal data breaches must be notified to the Information Commissioners Office within 72 hours of having become aware of a breach. The member must also be notified if the breach is likely to result in a high risk to the member.

Data protection impact assessments

Where systems changes are planned and the processing of data is considered ‘high risk’, an assessment of the impact of the planned processing on the protection of personal data must be carried out.

Data transfers outside the EU

Restrictions apply to data transfers outside of the EU to ensure the level of protection guaranteed by the GDPR is not undermined. Trustees will need to consider whether service providers hold data outside of the EU.

Increased record keeping obligations

Trustees must ensure records are maintained to show how they comply with GDPR.

The Information Commissioners Office has recently been consulting on a number of aspects of these new requirements, such as consent and the content of privacy notices.

Action: Trustees should consider how these new requirements apply to their arrangements and put a plan in place to ensure that they are compliant by 25 May 2018. This should include considering any information that may be held by trustees, the employer, outsourced providers such as administrators and advisors.