5 April 2018

Pensions Aspects April 2018

A false sense of security? Read the latest issue on GDPR and Cyber security: how robust is your approach?

Data and the looming deadline...

There was a time when 25 May 2018 was a long time in the future, but that time is no longer with us. It is only a matter of weeks away now, and with that fateful day comes the General Data Protection Regulation, known to the world as “GDPR”.

GDPR is a piece of EU-wide legislation that updates data protection laws and, unusually, comes into effect without any laws being passed by the UK Parliament (this is the “Regulation” part of the title). In many ways it is nothing new: the rules are generally a sensible extension of what was there before, but it has had the world talking because the fines are bigger (up to 20 million Euros), and can be issued against everyone “processing” personal data, not just those “controlling” it.

Pensions Aspects April 2018

Pensions Aspects April 2018

It is this second point that has galvanised the pensions industry. The “data controllers” who are already obliged to comply, are the trustees. We all know that, historically, a lot of trustees never reviewed their agreements with their various advisers, and certainly few had the commercial power to alter them. If their actuary, or administrator, or even lawyer wanted to say that they were sending the data unencrypted to a mate in Western Samoa (or anywhere else outside the EEA), the ability of the trustees to stop them was extremely limited. So, the trustees had the data obligations, but someone else had all the power.

Of course, the number of advisers who wanted to play fast and loose with data was very small, but the new obligations have galvanised us all into action. Trustees are now being inundated with a flood of demands and requests from their advisers, all of which are supposed to be sorted by 25 May.

The schemes need to have completed their data mapping and worked out their policies and systems on a range of issues from reporting of breaches to member subject access requests. They need to have new agreements with all their processes, covering certain specific issues, and they need to have told people about their data, and how and why they hold it. An increasing number of schemes know that, probably, they are going to miss the deadline.

Is missing the deadline the end of the world? In one sense, no. The Information Commissioner’s Office (ICO) that regulates GDPR tends to take the same pragmatic view as our own Pensions Regulator. If the trustees are getting there, but don’t quite meet the deadlines for everything, the ICO is likely to be relatively relaxed; it is the direction of travel that matters. It is the schemes that are kicking back and not moving the process forward that really need to worry.

Because, in one sense, the deadline may not be the end of the world, but ignoring data protection may be. Pension trustees can sometimes assume that, because a lot of political rhetoric around GDPR is about Facebook and Big Data and Data Mining, it isn’t really about pension schemes. This seems to miss some fundamental facts about the vast amount of data held by pension schemes, much of which is sensitive (both in the GDPR and the usual sense), and which is worth a great deal of money to a range of criminals who might want it for anything from identity theft to liberation scamming. Pension schemes are increasingly the target of cyber attacks and any scheme that is relaxed about GDPR is missing the bigger picture; our industry has a lot of valuable data and we need to be looking after it.

back to Pensions Aspects Magazine

Last update: 26 February 2021

Rosalind Connor
ARC Pensions Law
Partner

Senior Secretary to Trustees and Client Manager

Salary: £65000 - £75000 pa

Location: London

Pensions Administrator

Salary: £20000 - £30000 pa

Location: London, Berkshire or Greater Manchester or Scotland office with hybrid working

Associate Consultant/ Senior Pensions Administrator

Salary: £30000 - £45000 pa

Location: Hampshire/Hybrid Working 2-3 days in office

You may also like:

Getting small to medium sized schemes ready for buyout
15 November 2021

Getting small to medium sized schemes ready for buyout

The Pension Schemes Act 2021 has put in place the legislative framework for the new defined benefit (DB) scheme funding regime, which will include the requirement for trustees to set a long-term objective (LTO) for their scheme. For many trustees, the LTO will still mean buy-out.

Find out More
Pensions Aspects May 2021
07 May 2021

Pensions Aspects May 2021

Crackdown on scams. Read the latest issue on complete data protection.

Find out More