How will GDPR affect pension schemes?
From 25 May 2018 the European Union’s General Data Protection Regulation (GDPR) will come into force in all EU member states. As data controllers, trustees of occupational pension schemes need to prepare for the new legislation now. To ensure compliance, it is vital that trustees review their current data protection practices, understand the impact of the changes and take necessary action.
What are the key changes for pension schemes?
Although the basic principles behind GDPR are essentially unchanged from those enacted in the UK via the Data Protection Act 1998 (DPA), there are five areas trustees need to consider and prepare for:
1. New and enhanced rights for data subjects
Pension scheme members and beneficiaries will have enhanced rights to access their personal data and new rights of erasure (the ‘right to be forgotten’). Trustees will need to examine the legal basis on which personal data is processed, which is typically through member consent. However, GDPR tightens up the basis under which consent can be obtained and removes the ability to rely on silence or inactivity, or the use of pre-ticked boxes. Members will also have to be told how their data is used.
2. Data processors and joint data controllers
Any individuals carrying out data processing for the scheme will now be directly responsible for compliance. For example, in an occupational pension scheme the third party administrator would be a typical data processor. The Scheme Actuary and other professional advisers are typically considered to be joint data controllers along with the trustees. As joint data controllers, they will have to agree the allocation of responsibilities and communicate this arrangement to scheme members.
3. Accountability and record keeping
As data controllers, trustees will need to demonstrate how they comply with GDPR. Together with their data processors, they will each have to maintain records of the processing activities for which they are responsible and make these available to the Information Commissioner’s Office (ICO) on request.
4. The role of the Data Protection officer
It is likely that GDPR will require trustees of larger schemes to appoint a person to fulfil the role of Data Protection Officer (DPO). This person will be responsible for monitoring compliance with the GDPR and liaising with the ICO. The DPO could be one of the trustees or an external individual.
5. Reporting obligations
Trustees will have to report any data breaches to the ICO if there is any likelihood of risk to members’ rights. Such reports will have to be made, where feasible, within 72 hours of the trustees becoming aware of the breach. If the breach is ‘high risk’ and is not mitigated by data encryption or other measures, the trustees will have to inform members affected immediately.
Penalties for non-compliance
The potential maximum fine has increased from £500,000 under the current Data Protection legislation to 20million euros or 4% of annual turnover (if higher). For less serious infringements it will be 10million euros or 2% of annual turnover if higher. The penalties are very high but the new GDPR obliges the ICO to administer fines that are ‘effective, proportionate and dissuasive’.
How we can help
GDPR builds on the existing Data Protection framework but will introduce changes to the way you and your advisers work together to ensure pension scheme data is secure and the rights of privacy for pension scheme members is respected. At BDO We have a team of experienced GDPR pension experts who can assist you in the preparation of GDPR checklists that you can send to your advisers and ensure you are fully prepared for the changes being introduced on 25 May 2018.
For further information or advice please contact:
T: +44 (0)1483 408 126