The requirements of the General Data Protection Regulation become enforceable on 25 May 2018 – less than 9 months from now – and there is a lot of work for trustees, employers, advisers and administrators to do before then.
The Government has now announced its intention to bring in a new Data Protection Act which will enshrine GDPR into UK law so that it remains in force after Brexit.
The scope of the work required to ensure compliance with GDPR is too wide to be covered in full in this article but here are a few key points:
- As a reminder pension scheme Trustees are Data Controllers in relation to the Scheme’s data. Advisers and administrators will be Data Processors, although the Scheme actuary (a personal appointment) will be a Data controller in his or her own right.
- Under GDPR both Data Controllers and Data Processors must implement measures to protect personal data.
- To do this Trustees (and the other parties) will have to complete a full Data Security Measures Security Review. Some (but not all) of the key aspects for this will be
- A data audit, to include how data is used and what consents have been given for its use;
- Review (and as necessary amend) contracts with Data Processors;
- Agree a policy for compliance with GDPR;
- Setting a policy for dealing with enhanced data protection rights for members;
- Pulling all the different strands of this together into one data register for the Scheme, which must then be reviewed and updated as necessary.
Trustees are also supposed to consider whether to appoint a Data Protection Officer (DPO). Most smaller pension schemes will probably think this is unnecessary but may consider asking one trustee to monitor GDPR compliance on behalf of the Trustee board, with appropriate authority to act quickly where necessary.
Some of the press coverage has also focused on the “right to be forgotten” but this seems unlikely to be that relevant to the management of data within pension schemes. However, Trustees will need to have a clear policy governing what data is being retained, whether this has been achieved, whether it is still needed and how it will be destroyed.
It is clear from the above that there is a lot of work to do to ensure compliance and relatively little time to do it.
Finally it is worth remembering that the Scheme data may also be processed by the sponsoring employer from time to time, so trustees will want to know, and need to make sure, that the employer has appropriate arrangements in place for GDPR compliance and also that the employer is only able to use Scheme personal data for specific purposes and with Trustee consent.
We are already reviewing suppliers’ contracts with GDPR in mind as any contracts entered into now will almost certainly be in place beyond next May, but a wider review of all existing advisers’ and suppliers’ contracts is going to be needed. If you would like our help with this please contact one of the pension’s team.