By Anna Copestake, Senior Associate, Arc Pensions Law.

Earlier this year the EU Parliament adopted a new General Data Protection Regulation (the GDPR). Its aims to establish a single data protection framework across the EU.

The GDPR will automatically apply to member states on 25 May 2018. If and how it will apply to the UK depends on the outcome of Brexit negotiations. However, it is likely that the current UK data protection laws will not escape change.

Although May 2018 sounds like a long time away the GDPR would necessitate significant changes for pension schemes. So, even with the uncertainty caused by Brexit, the message seemingly coming from the Information Commissioner’s Office (ICO) is “be prepared”.

Impact of Brexit

The extent to which the UK will have to comply with the GDPR is unknown. It will depend on the exit terms negotiated by the government. However, it is more likely than not that changes will be made to UK data protection laws and these will reflect the GDPR.
If negotiations take two years once exit is triggered, the UK will remain part of the EU in May 2018. However, since there is a question mark over the enforcement of a directive in a member state with only months remaining in the EU, applicability of the GDPR is more likely to depend on the specific terms of exit.

If the UK remains in the single market it may have to fully comply with the GDPR. If it does not, it nevertheless may actually volunteer to adopt the GDPR anyway. A great deal of trade relies on the cross-border exchange of data. EU countries would not be able to make data transfers to the UK (outside the EEA) unless the EU Commission was satisfied that the UK had ‘adequate’ levels of data protection. The same would be the case for other countries who adopted frameworks similar to the EU model. It is uncertain whether current UK law would be sufficient to meet this test and so the UK may adopt provisions equivalent to the GDPR to retain trade channels.

Baroness Neville-Rolf, UK Minister for Data Protection, recently spoke at the Privacy Laws & Business annual conference on data protection, talking about this “elephant in the room”[1]. She too does not yet know if the GDPR will take effect in the UK. But she did say that a “major consideration” in the UK’s negotiations will be the need to provide adequate protection when sharing data in the EU or handling EU citizens’ data. The ICO has also recently said that reform of UK data protection law remains necessary[2].

As a result trustees and sponsors should start familiarising themselves with the new concepts in the GDPR in a bid to be as ready as possible should its provisions come into force in the UK in 2018.

Putting Brexit to one side, it is important to note that the GDPR will apply to the provision of goods and services to, or the processing of personal data of, EU citizens. Exactly what this means remains to be seen and ICO guidance would be welcomed. However, on the face of it, cross border schemes or schemes with pensioners who are EU citizens may not escape compliance irrespective of the outcome of Brexit.

GDPR – key changes if implemented

Many aspects of existing UK data protection law would be retained under the GDPR. For example, the concepts of personal data, data controllers and data processers would remain. The ‘8 principles’ would also remain.

However, there are some major differences that would have a significant impact for trustees. It is also worth remembering that depending on the circumstances sponsors can also be data controllers and/or data processers.

The ICO would enforce the GDPR. Its guidance would be crucial to understanding the exact scope of any new requirements and their application to pension schemes.

Based on the GDPR text as it stands, some key changes for pension schemes include:

• Fines. Maximum fines for non-compliance would increase to the greater of ‚ 20,000,000 or 4% of global turnover (currently ICO can issue a fine of up to £500k). Non-compliance would be far more ‘high risk’ in monetary terms.
• Processor contracts. Contracts between data controllers and data processors (e.g. administrators) would require additional wording regarding data storage and protection. This may cause administrators to revisit agreements, particularly older ones, which could have pros and cons for trustees and sponsors depending on relative negotiating positions.
• Information and consents. Individuals would need extra information about how, why and for how long their personal data is processed. A higher standard of consent would be required for processing personal data. The consent would have to be positive, informed and specific. Members would need to be told that consent can be withdrawn. Consequently, trustees would need to review member notices and consent gathering processes.
• Individual rights. Individuals would be given enhanced rights including greater access to their data, the ability to transfer their data to another provider and to have it erased in limited circumstances. Again additional processes would need to permit the exercise of these rights.
• Reporting breaches. Data controllers would have to report serious data breaches to the ICO without undue delay or if feasible within 72 hours unless risk to data subjects was unlikely. If there is a high risk to the data subject he or she would also need to be notified without undue delay. Trustee processes would need to be efficient to comply with this timescale.
• Processor Data processors (e.g. administrators) would have direct liability to members for breaches and may be fined by the ICO. This would be beneficial to members and may reduce the possibility of claims against trustees. However, administrators may seek to manage this additional risk in their contracts with trustees (e.g. by seeking indemnities). Again this may trigger a review of current administration contracts.
• Impact assessments. Data controllers would have to carry out privacy impact assessments where processing is ‘high risk’. For example where automated profiling is used certain types of data are processed on a large scale, such as information about health. This may be a consideration for certain liability management exercises but ICO guidance on this point would be helpful.

What should we do now?

We know there are changes to UK data protection laws are afoot but the nature of the changes are unfortunately yet to be confirmed. That said, there is a good chance that any new laws will reflect some (or all) of the provisions of the GDPR.
3 steps that trustees and sponsors could usefully take whilst we wait for confirmation are:

1. Knowledge – become familiar with the GDPR and its key points. Sponsors may already be looking at this as part of their business continuity plans and may be able to share information with trustees.
2. Current processes – understand the current data processes involved in the running of the pension scheme
3. Impact – start thinking about what scheme processes and documentation may need to be revisited if the GDPR, or changes similar to those in the GDPR, were to be brought in.

It may also be useful to look at the ICO’s 12 step introductory guide to help prepare for the GDPR. It can be found: https://dpreformdotorgdotuk.files.wordpress.com/2016/03/preparing-for-the-gdpr-12-steps.pdf

[1] https://www.gov.uk/government/speeches/the-eu-data-protection-package-the-uk-governments-perspective
[2] https://ico.org.uk/for-organisations/data-protection-reform/guidance-what-to-expect-and-when/