On 25 May 2018, a new data protection law will come into force across Europe aimed at creating a uniform set of requirements fit for the digital age. While much of the General Data Protection Regulation (GDPR) will feel familiar, some important changes are on the way. With fines of up to €20 million (£17 million) or 4% of worldwide turnover a possibility, there are some key steps to help trustees get occupational pension schemes into shape.
Employers also have a key role to play here, as they will be sharing personal data with trustees, such as members’ salary information, and will often provide services to help in the running of the scheme. Such services can include making a scheme manager or scheme secretary available, and possibly providing in-house administration services.
The first key step to consider is auditing personal data. This includes identifying what scheme personal data is held, why it is held, who has access to it, how long it has been held, and whether it is still needed.
Second is determining the legal grounds for processing. Data controllers or trustees must be able to legally justify processing scheme personal data. For example, relevant grounds for processing could be whether it is necessary for the ‘legitimate interests’ of the trustees, namely the effective running of the pension scheme, compliance with legal obligations, or members having given their specific consent. Given that schemes will hold different types of personal data, trustees should bear in mind that more than one legal ground is likely to be relevant and it is important to keep those grounds under review.
A further step is updating contracts. The GDPR sets out specific requirements on documenting relationships where personal data is being shared with others. Trustees should identify the services being provided by others involving scheme personal data, whether third party or in-house, and discuss with their legal advisers how best to document them. All personal data flowing between the trustees and the employer should be dealt with here.
Trustees will also need to provide specific information to members through an updated privacy notice, and the GDPR requires that all communications with data subjects should be in a “concise, transparent, intelligible and easily accessible form”. Key issues to cover include members’ rights to access their personal data, to have inaccurate personal data corrected and to be forgotten in certain circumstances.
Finally, a scheme’s personal data policy should be looked at. While the content and structure will vary, the trustees’ data protection policy should address some items as a minimum, not least the record keeping requirements under the GDPR. It should also reflect key decisions taken and procedures put in place to meet GDPR requirements.
While there is much for many schemes to do over the coming months, far from marking the finishing line for compliance, 25 May 2018 is simply the beginning of a new regulatory regime.
Claire Carey is partner at law firm Sackers