Data protection – trustees need to take action
5 December 2017
The European General Data Protection Regulation (GDPR) is fast approaching with less than six months to go and is set to impact pensions. Trustees should therefore already be considering what they need to do to comply with the new requirements. There may also be implications for employers where trustees don’t comply and where they handle member data themselves.
Our briefing provides a reminder of why GDPR is relevant and what is changing.
Why is data protection relevant to trustees?
Trustees need to use personal information about members to calculate and pay pension benefits. This makes them “data controllers” for the purposes of both new and existing data protection requirements.
As data controllers, trustees already have significant obligations in relation to member data. These include ensuring that: the data is processed fairly and lawfully; members are given certain information about what is being done with their data; and that it is held securely.
Trustees will also generally need to have registered as a data controller with the Information Commissioner’s Office (ICO).
What is changing?
Once the GDPR comes into force, a lot will still look the same. Trustees will still be data controllers and they will still need to ensure that member data is processed fairly and lawfully.
However, whilst the principles remain similar, a lot of practical requirements are changing. Trustees will need to ensure that they have appropriate internal policies and processes in place to comply with the large volume of new requirements.
Where third parties such as administrators process data on the trustees’ behalf, agreements with them will need to be reviewed to ensure that there are provisions dealing with security, confidentiality and the return or destruction of the data at the end of the contract.
In addition, members will need to be given more information, including for how long trustees intend to hold their data and the legal basis for which it is being used.
There are also changes to the mechanics of complying with requests from members to be told what information is held about them and for notifying breaches to the ICO.
Finally, the penalties for non-compliance with the data protection requirements will increase considerably. The ICO can currently impose sanctions of up to £500,000. Under the GDPR, this will rise to €20 million or 4% or annual global turnover – whichever is greater. Although it is highly unlikely in practice that trustees would ever face fines of anything approaching this magnitude, it does illustrate the importance of compliance.
If trustees have not already done so, data protection needs to be put on the agenda for an up-coming trustees’ meeting.
Trustees need to identify what information they hold, who processes it on their behalf and the legal basis on which this data is being processed. They also need to have copies of their agreements with all third party data processors so they can start the process of reviewing them.
Trustees should put an action plan in place to ensure they have identified everything they need to do and have enough time to do it.
We can help with this so if you have any questions or need more information please Jeremy Goodwin, Emma King, Paula Barrett or Liz Fitzsimons.