A look at the new EU Data protection requirements in force from 25 May 2018
A key task for pension schemes is to take proper care of the information they hold about members. From time to time, trustees of pension schemes are faced with specific situations where they need to do this in a way which satisfies data protection law.
For example, trustees sometimes pass information about members to financial advisers who then use the data to advise members about their pension benefits. That can happen when an employer makes a proposal to close a pension scheme or offers members an incentive to transfer their pension benefits to another pension scheme. When this happens, the trustees should obtain assurances that the financial advisers will, essentially, also take proper care of the information.
The current UK data protection law dates from 1998 and is based on an EU directive from 1995. Since then, there has been a huge increase in the sharing of information. Social media is just one part of this. The consequence is that data protection law is now out of date. So, the EU has recently published a new regulation to bring data protection law up to date. The new regulation will come into force on 25 May 2018 and will apply across the whole of the EU. Despite June's vote to leave the EU, it is very likely that the UK will still be a member state of the EU on that date. Therefore, the new data protection regulation is very likely to apply here in the UK as well.
The new regulation retains many of the rules from current data protection law, but it also represents a significant strengthening of the regime.
Trustees of pension schemes will still need to comply with a set of principles, as they do now, and the new regulation still uses familiar terms such as 'data controller' and 'data processor'. Using my example above, the trustees are the 'data controller' and data protection law through the principles imposes obligations on the trustees to obtain assurances from the financial advisers who are regarded as the 'data processor.
The strengthening in the regime, for pension schemes, comes in the form of:
- stronger rights for members;
- providing more details to members about using their data;
- making it harder to obtain consent from members to use their data;
- higher penalties.