With yet another privacy notice hitting your inbox last spring, you would have struggled to miss the GDPR coming into force on 25 May. The GDPR introduced more onerous data protection obligations (and the possibility of larger fines) on data controllers, including pension scheme trustees.  

Privacy notices to members were generally sent out in good time and most pension scheme trustees have put in place a data protection policy, setting out how it is going to comply with its obligations under GDPR. 

However, the GDPR imposed a whole range of other obligations on data controllers, including in relation to contracts with data processors, reporting breaches and enabling members to exercise their rights in respect of personal data, to name but a few. 

Whilst there was no expectation that data controllers would be fully compliant when GDPR came into force (indeed, the Information Commissioner said herself last year that 25 May was the beginning, not the end), trustees should be making good progress in meeting their GDPR obligations.

Every pension scheme will be at a different place in terms of GDPR compliance. For example, some pension schemes may have had several members asking to see their personal data (a “subject access request”) so their process for responding to these requests is already like well-oiled cogs in motion. Others may have agreed the majority of the data processor contracts. With this in mind, there is no one size fits all (is there ever in the GDPR world?) but, generally speaking, these are the key areas to focus on over the coming months.

Data controllers are required to have GDPR contractually compliant terms in place with all their data processors. Trustees of pension schemes are no exception. Many trustees started negotiations with data processors, such as scheme administrators, well ahead of the May deadline. However, many trustees found the process long and drawn out and are yet to finalise these terms with all of their providers. Given the risk of sanctions for not having GDPR compliant terms in place, trustees must focus on getting terms finalised and agreed with their data processors.

Although individuals already had rights to access personal data held about them under the old regime, individuals are now much more aware of their rights. The number of requests has increased dramatically under GDPR. For some members, complying with a request will be fairly straightforward but it may be more tricky in other cases. With only a month to respond to a subject access request, pension schemes should put processes in place now for dealing with any request. When putting this together, trustees should think about: 

- how to check the identity of the member

- making sure any third party has appropriate authority from the member

- clarifying the level and detail of information required

- how to present the personal data to members.

As the scheme administrator will hold the member records, trustees should work with their administrator in setting up a workable process for responding to these requests. 

Even with a data protection policy being in place and properly implemented, breaches may happen, whether due to a malicious attack (e.g. viruses or malware) or genuine human error (e.g. loss of a portable device containing personal data). 

Where there is a breach, the trustees may have to report the personal data breach to the ICO, or report it to both the ICO and the individual concerned, depending on the seriousness of the breach. A data controller is required to report a serious personal data breach to the ICO within 72 hours, where feasible.

In order to handle a potential breach efficiently, it is crucial to have a proper process in place to deal with any breaches. Trustees should consider the key individuals involved (e.g. who should be contacted initially, who will investigate the breach) and, where the breach is by a provider, how to work with that provider in investigating and reporting that breach. 

In the run-up to 25 May 2018, pension schemes and their providers were busy carrying out audits to establish what personal data they held, why they held it, who else had access to it, how long it had been held, and whether it was still needed. As the GDPR requires all controllers and processors to maintain a processing record, trustees should check that the prescribed information has been pulled together for this purpose. The personal data audit will provide a platform for this but, given the sheer volume of personal data held by schemes, this is proving a challenging area. The scheme administrators will once again play an essential role, given that much of the processing of pension scheme personal data is carried out by them.

The ICO and the government have confirmed that the GDPR will remain law post-Brexit, regardless of whether we exit with a deal or with no deal. However, pension schemes should keep an eye on the position regarding transfers of data between the UK and the EU – whilst the government has confirmed it will continue to allow the free flow of data from the UK in the event of no deal, the European Commission has not yet confirmed its position.

GDPR compliance is still a new area for all data controllers, not just for pension scheme trustees. As well as carrying out the above steps, trustees should continue to review and update their processes and policies as “best practice” develops and as security measures develop and improve. Trustees will also need to monitor their data processors, to check that they are processing data in a GDPR compliant manner. The aim for all trustees is to make sure their members’ personal data is kept safe both now and in the future.