0370 1500 100

All change for pension trustees for GDPR – what do trustees need to do?

Despite some uncertainties as to the precise implementation and impact of the General Data Protection Regulation (GDPR), we can be definite that the requirements will become enforceable law on the odd date of Friday 25 May 2018. The GDPR will continue to apply after Brexit, incorporated into domestic law in some form. It therefore remains crucial for trustees to start to act now to be ready for 25 May 2018.

Refresher on Data Protection

For GDPR purposes, pension trustees are data controllers in relation to their plan’s data. Their advisers and agents, like scheme administrators and pension consultants, tend to be data processors. However, the Scheme actuary appointment is a personal appointment and the Scheme actuary is a data controller in his or her own right. The company which provides actuarial services for the trustees however is a data processor. The scheme’s sponsoring employer/group may also be a data processor in relation to the trustees’ data. The employer/group is also likely to be a data controller in relation to its own pension data. Trustees need written agreements in place with their various data processors.

How to Carry Out a Full Data Security Measures Review

Under the GDPR, both data controllers and data processors must implement appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access. A ‘data security measures review’ is the practical way of going about this to make sure everything is up to scratch.

How to Become GDPR Compliant

The key actions for the trustees to carry out their data security measures review are to:

  • perform a data audit – see how the Scheme’s data is used and review what consents members/beneficiaries have already given and see if they are adequate for GDPR
  • review and update the trustees’ contracts with their third party data processors
  • set the scheme’s GDPR compliance policy
  • update the trustees’ fair processing notice (also called a privacy policy)
  • set scheme policies and procedures for dealing with members’ enhanced data protection rights, e.g. how to respond to a data subject request
  • decide whether a formal Data Protection Officer (DPO) should be appointed
  • set the scheme’s data breach policy and procedure
  • put these revised policies and procedures in a data register

Performing a Data Audit

This means analysing the various ways in which the trustees and third parties, such as administrators and actuaries, use the scheme’s data. The results of this can then be used to form the basis for the trustees’ written record of all their personal data processing activities: the GDPR compliance policy.

The audit should cover, amongst other things, any online pension scheme information and expression of wishes forms.

Member Consents – explicit consent is best

Under the Data Protection Act, it was usual for data controllers to obtain implied or explicit consents from members and beneficiaries as regards trustees holding and processing member data. Compliance was typically achieved by adding statements to member booklets and consents to member forms, etc.

Under GDPR, it is possible for processing to occur on the basis of consent. However, there are the following difficulties:

  • Implied consent is not permitted – clear affirmative member consent is needed
  • There must still be explicit consent for processing sensitive personal data – the definition of sensitive personal data under the GDPR is broadly the same as under the DPA
  • If the data is used for multiple purposes then multiple consents are needed
  • If there is data sharing every third party should be named
  • Consent can be withdrawn any time
  • Consent is not available where there is a clear imbalance in the relationship
  • Consents must be renewed every two years
  • Consents should not be obtained for one action and then used for another (e.g. for marketing purposes)

Given these difficulties, it is worth trying to use the other GDPR bases for having ordinary personal data (not sensitive data). The key bases for pension schemes are that the data is needed for:

  • the legitimate interests of the data controllers
  • the performance of a contract
  • compliance with a legal obligation

Arguably all of these could be used as reasons why the trustees need to hold and process members’ data. We understand some consultants have recommended that trustees obtain formal member/beneficiary consents for all data processing (which then needs to be renewed and is subject to the member withdrawing consent) – not just for sensitive personal data. Given this, it is important to discuss the point with the trustees’ other professional advisers to make sure as joined-up an approach as possible is taken by the trustees on member consents with their third party data processors, like administrators and actuaries.

Trustees' Contracts – to be reviewed

The DPA requires data controllers to contractually impose data security requirements on data processors. The GDPR now imposes these security requirements directly upon data processors, and exposes data processors to fines, penalties and compensation claims for failure to comply with these requirements. Consequently, the level of risk faced by data processors under the GDPR is significantly increased. This should be helpful so far as the pension trustees are concerned. This is because the vast majority use third party data processors to run their pension scheme. Although trustees are the overall data controllers, they do not do the data processing so higher standards as regards the data processors should reduce the risk of a data breach so far as the trustees as data controllers are concerned.

Given this all agreements with pension scheme data responsibilities should be reviewed and updated to set out the trustees’ and third parties’ data sharing arrangements to ensure GDPR compliance by all concerned.

Trustees’ GDPR compliance policy

The trustees should prepare and maintain a GDPR compliance policy which will be a pension scheme document. It should allocate the responsibilities between the trustees and providers/advisers as regards the scheme’s data and should include, for example, the fair processing notice where third parties are the data controllers of scheme data in their own right – like the scheme actuary.

Trustees’ GDPR Training

Trustees should undertake training on the GDPR as it is best to consider them as ‘staff’ for GDPR purposes. Additionally, the trustees should find out what training their third party service providers receive as data processors and data controllers and add this into the trustees’ records of their data audit.

The Trustees’ fair processing notice

Under GDPR, personal data will be processed fairly only if certain information is given to the individual/individuals concerned, as a written statement. This is often called a “fair processing notice”. The ICO’s recent guidance also uses the term “privacy notice”, as the fair processing notice can form part of a privacy policy with wider scope than just the fair processing notice. The trustees will need to prepare and issue this notice.

Data retention policy

The trustees should have a formal data retention policy which they document. In formulating this, they need to consider:

  • why the data is being kept
  • whether this purpose has been fulfilled
  • whether the data is needed for any future potential claims
  • how the data will be destroyed

It is still possible for the trustees to keep data for the six-year limitation period as this remains a relevant time limit for bringing pension claims. However the trustees should make sure their policy dovetails with, for example, the scheme administrators’ policy on this.

Data breach policy

It is compulsory for the ICO to be notified within 72 hours of a breach unless the breach is unlikely to result in a risk to the rights and freedoms of the individual. This includes discrimination and identity theft or fraud and damage to reputation. Additionally, the data subject shall be notified of the breach unless various exceptions apply. Tighter rules apply if there is a GDPR breach and the trustees or their administrators communicate with scheme members electronically. The trustees therefore need to set up a system and write it down as a policy to cover this.

Data Protection Officer (DPO)

The trustees must consider whether to appoint a DPO and then document their decision. With a smaller scheme, it may not be necessary to appoint a DPO. However it may be sensible to delegate GDPR duties overall to one trustee so it is possible for the trustee board to act quickly on data protection matters if they need to do so.

Policy on subject access right requests

The trustees should set a policy and procedures to deal with the enhanced rights of individuals. If a scheme member makes a subject access right request, strict time limits apply. So the trustees should have formulated a process for dealing with this. It could be, for example, delegating responsibility for managing the request to one trustee.

Policy on members’ right to data portability

This right aims to stop data lock-in and to encourage data exchange. As such it is more relevant to third party administrators than pension trustees but it may become more relevant if the Pensions Dashboard initiative gets up and running. At that time, trustees should formulate their policy and procedures.

Policy on the right to be forgotten and what to do if an individual objects to their data being used for legitimate interests

These rights do not seem particularly relevant or likely in the context of a pension scheme.

Privacy Impact Assessment

This is needed where an organisation has a lot of sensitive personal data. We would not expect a smaller scheme to carry out such an assessment but we would expect scheme administrators to consider doing so.

Data register

The final step is to bring all the trustees’ policies and procedures together in one data register for the scheme. The register must then be reviewed regularly and updated as needed.

GDPR fines and penalties are potentially high

These are calculated on a tiered basis with the lower tier being up to €10m or (for an undertaking) up to 2% of global annual turnover, whichever is higher. There remain questions about how this is calculated with a corporate trustee that is part of a larger group. Under the GDPR any damages must be compensated. But as a matter of public policy, pension trustees should not use scheme assets to pay a fine – instead, trustees will be personally liable. If there is a corporate trustee company then that company rather than its directors would be prima facie liable for any GDPR fines so this is a reason for converting individual trustees into a trustee company. Alternatively it may be possible to buy insurance cover or a scheme’s employer may agree to discharge trustee fines on behalf of the trustees.

It is likely that the scheme auditors will check the scheme’s overall compliance with GDPR as part of the scheme audit.

TPR has not yet pronounced on how it expects pension trustees/employers and providers to implement GDPR so we are reliant on the ICO’s more general statements and policies.

GDPR start date

Everything needs to be lined up before 25 May 2018. Then GDPR should continue to be a regular agenda item at trustees’ meetings – with regular reports from third parties as regards compliance and any changes in practice.

Visit our GDPR pages to learn more about GDPR, its implications and how Irwin Mitchell can help.

Published:21 July 2017

Pensions Law Update - July 2017

Key Contact

Penny Cogher