The pensions industry has one year to prepare for new regulations coming its way. Europe's new data protection legal framework is set out in the General Data Protection Regulation (GDPR) which will come into force in all EU Member States on 25 May 2018, including the UK. While the changes are not radically different to the current legal requirements, there are important developments that the pensions industry needs to be aware of ahead of May 2018.
The General Data Protection Regulation (GDPR) will come into force in all EU Member States on 25 May 2018. The UK will still be a Member State of the EU on 25 May 2018 and is likely to retain the GDPR following Brexit.
The GDPR does not mark a radical departure from the current data protection regime (i.e. in the UK under the Data Protection Act 1998 (DPA)). There are, however, certain key changes that will focus attention in the pensions industry. The GDPR contains four key developments that trustees, employers and the pensions industry will need to grapple with. These are: more detailed privacy notices, whilst still being concise and easily understood; overlapping controller and processor obligations, especially around security; mandatory breach notification to regulators and members; and more severe sanctions for non-compliance.
What's happening on data protection?
Regardless of the progress of Brexit negotiations, it is very likely that the UK will still be a Member State of the EU on 25 May 2018. The GDPR will therefore apply to data controllers and processors in the UK on and from this date and the Great Repeal Bill will translate the GDPR into national law.
The Information Commissioner has also made it clear she expects that the UK will want to keep in step with European data protection standards after we leave the EU in order to facilitate cross-border transfers but also as many UK controllers and processors will process personal data of European citizens and are therefore caught by the GDPR in any event as it has extra-territorial effect.
With just over one year to go until the GDPR goes into force, it is now time to map your data flows and start reviewing current policies, procedures, systems and practices and ensuring you understand your data protection obligations.
The new law is not as radical a departure from the old law as might have been feared. Broadly speaking, data processes that are lawful under the UK's Data Protection Act 1998 are likely to remain lawful under the GDPR. This should provide some comfort to trustees to the extent they are compliant with the current legal requirements. This is, however, subject to four important changes that are particularly relevant to pension schemes.
What are the key changes for pensions under the GDPR?
More detailed privacy notices: The requirements relating to privacy notices under GDPR are more detailed and specific than under the DPA and place more emphasis on making them understandable and accessible. Privacy notices will need to contain additional information, such as details of the legal basis for the processing of the personal data that is held. Existing privacy notices will therefore need to be reviewed and updated accordingly.
Overlapping controller and processor obligations, especially around security: Under the GDPR, data processors (i.e. those who process personal data on behalf of a data controller, such as a scheme administrator) will, for the first time, be subject to direct legal obligations. This significant exposure to additional legal liability will make compliance a higher priority amongst actuaries, employee benefit consultants and other advisers.
In addition, the GDPR will require agreements between trustees and these parties to cover various data protection issues. Data controllers (such as trustees) are not relieved of their obligations under the GDPR even if they have delegated to a third-party data processor.
Mandatory breach notification to regulators and members: Under the GDPR, breaches of the data protection requirements must be reported to the national supervisory bodies (i.e. the Information Commissioner's Office in the UK) within 72 hours. If breaches are likely to result in a high risk to the rights and freedoms of data subjects (i.e. pension scheme members, employees etc.), the breach has to be communicated directly to the affected persons without undue delay.
More severe sanctions for non-compliance: The GDPR imposes significantly greater fines for non-compliance, up to the greater value of €20m and 4 per cent of global annual turnover for the majority of data processing that is relevant for the pensions industry.