The new EU General Data Protection Regulation for Pension Scheme Trustees
Pension Scheme Trustees who typically act as "data controllers" need to take action now to ensure compliance with the new EU General Data Protection Regulation (GDPR), which come into force on 25 May 2018.
The basic principles behind GDPR are essentially unchanged from those enacted in the UK via the Data Protection Act 1998 (DPA) but there are a number of new rights and obligations. Here are some of the new provisions:
- Penalties/sanctions: The new maximum penalty will be 20m euros (and possibly higher for commercial entities depending on global turnover) for "serious" breaches and 50% of that for "lesser" breaches. The current maximum fine that can be imposed by the Information Commissioner's Office (ICO) is £500,000.
- Registration: This will no longer be necessary when GDPR comes into force.
- Privacy notices: These will need to be reviewed as you will have to give people more information, e.g. your legal basis for processing the data, your data retention periods, etc.
- Consent: Where consent is obtained it should be freely given, specific, informed and unambiguous.
- Rights of individuals: the new rights include a right to have access to data free of charge and the right to have data deleted.
- Data Protection Officer(DPO): A DPO will need to be appointed in certain circumstances and even where one is not required it will be expected
The ICO has commented that in many cases GDPR only enhances rights and requirements that already apply under DPA, but it is working on a set of guidance on GDPR – more information, together with a more comprehensive summary of GDPR, can be found about here.
Pension Scheme Trustees will need to take some action to make sure they comply and this is likely to include:
- reviewing contracts with all data processors (and any joint data controllers), and making sure that any new contracts take account of GDPR if they are likely to apply beyond May 2018;
- identifying all data that is processed by or on behalf of the Scheme – what personal data is held, why it is held, etc.; and
- reviewing privacy notices and consents to make sure they meet the new requirements.
Whilst we await further guidance from the ICO, our data protection team has complied a guide detailing the practical steps you can take now to work towards compliance, which you can download free here.