As we reported in November 2016, the EU General Data Protection Regulation (GDPR) will impact all UK pension schemes when it comes into force on 25 May 2018. Key areas of change include increased data subjects’ rights and record keeping duties, data protection ‘by design and default’, and enhanced enforcement powers for the Information Commissioner’s Office (ICO).
Trustees should have begun preparatory steps to ensure the schemes will be compliant in time for GDPR coming into force; however the data protection issues around pension schemes are complex and the picture is constantly evolving. Key recent developments, and their impact on pension schemes, include:
Publication of Data Protection Bill
The Data Protection Bill was introduced to Parliament on 13 September and will replace the existing Data Protection Act 1998. The Bill is designed to supplement GDPR and clarify how it will operate in practice; it also extends the regime to areas not covered by EU legislation (primarily the law enforcement and intelligence agencies).
Key provisions of the Bill include:
- Power for the ICO to levy fees to support its compliance work;
- Differing levels of enforcement notice that can be given by the ICO; and
- An explicit requirement to have a GDPR-compliance policy in place if processing data on certain legal bases.
The Government has stated it intends to retain existing data protection derogations as far as possible under the Bill; however given occupational pension schemes are mentioned only once in the text it remains to be seen exactly how the Government intends this will work in practice. The Bill is due for its first substantive Parliamentary debate on 10 October and the Government’s position is only likely to become clear once this process is under way. It is also possible that the Bill will be subject to revisions as it makes its way through the legislative process. We will continue to monitor this closely as it makes its way through Parliament.
The ICO is the UK body primarily responsible for ensuring that data controllers comply with GDPR. Over the course of 2017, it has issued draft guidance on a number of areas of GDPR relevant to pension schemes, including:
- Consent as a lawful basis for processing; and
- Contracts with data processors (i.e. Scheme appointees such as administrators).
Further draft guidance is expected in the coming months, including on other lawful bases for processing data and record keeping requirements. Some of this guidance will only be finalised once the EU’s GDPR Working Party has published its own guidance and therefore may not come until early 2018. The contracts guidance is open for consultation responses until 10 October 2017.
We will continue to monitor the draft guidance closely in case of any specific obligations arising. Trustees should also check and revise as necessary their GDPR-compliance timetable, as it may have assumed published guidance would be available more quickly than it has in practice.