49: GDPR for pension schemes: Three year anniversary
On 25 May 2021, we reach the three year anniversary of the General Data Protection Regulation (GDPR) coming into force. In our latest blog we remind trustees of some key ongoing action points in order to comply with their data protection obligations. Since the end of the Brexit transition period, the GDPR has been broadly retained in domestic law and sits alongside the Data Protection Act 2018.
Data Protection Policy (DPP)
DPP’s form the backbone of trustee GDPR implementation, documenting and demonstrating compliance with the GDPR. Trustees should ensure this is being reviewed and updated regularly. To assist with this, compliance with the UK GDPR could be included as a standing item on trustee agendas if it is not already.
Members have a right to information about the reasons for which their data is being processed. Trustees will have already established and communicated their lawful reasons for processing data but should make sure members are notified of any changes which impact them eg how their data is being used, who it is being shared with, and any changes to the basis for processing their data.
Note that information given to members about international transfers of their data may need to be updated in due course in light of Brexit (on 19 February 2021 the Commission released a draft adequacy decision for the UK, on which the EDPB published its opinion on 15 April 2021 but a final decision is still awaited).
Contracts and data sharing
Trustees will have existing GDPR compliant contracts with third party providers. Contracts with any new data processors engaged by trustees must include sufficient data sharing provisions in order to comply with the mandatory requirements set out in Article 28 of the UK GDPR. Careful thought should be given to indemnities in the event of breach.
To the extent they have not already, trustees should consider putting in place a data sharing agreement with the sponsoring employer or any other controllers with which they share data. They should also consider reviewing existing agreements, having regard to the ICO’s recently updated Data Sharing Code of Practice, which was laid before Parliament on 18 May 2021 and comes into force on 20 June 2021.
Trustees should regularly assess and test their security systems and measures to ensure they remain robust and can protect against unauthorised or unlawful processing and any accidental loss, destruction or damage of personal data.
Trustees should ensure that they have a policy and processes in place to enable them to act quickly in the event of a data breach and that they are in a position to notify the ICO within the requisite time frame (72 hours from becoming aware of it). Members may also need to be notified. All parties should be clear who is responsible for taking any steps.
Trustees must keep a log of any personal data breaches (even those which did not meet the reporting threshold), including its effects and any remedial action taken and ensure this is kept up to date.
Data subject access requests
In most circumstances, trustees must make sure they are in a position to respond ‘without delay’ to a subject access request and at the latest within one month of receipt of a request. The trustees and their administrators should be clear who is responsible for taking any steps to respond.
Trustees and their advisors can take day-to-day action to minimise what needs to be disclosed in the event of a request by avoiding using member personal data in correspondence wherever possible. In order for personal data to be truly anonymised, it must be stripped of sufficient elements so that the individual can no longer be identified. All parties connected with the administration and governance of a pension scheme should be alert to the need to anonymise wherever possible.
Retention of data
Keep data regularly under review and consider what is necessary to keep and what can be returned or destroyed. Retiring trustees should be asked to evidence they have returned or destroyed all personal data relating to the scheme.
Trustees should ensure they are regularly refreshing their data protection training. The ICO’s breach notification form explicitly asks ‘Had the staff member involved in this breach received data protection training in the last two years?’. Trustees should ensure they are in a position to answer yes to this question in the unfortunate event of a breach.
How we can help
Our 25 March 2021 webinar can be found on YouTube in which we discuss developments in GPDR for pension schemes since the GDP came into force in 2018 and our experienced pensions team is well placed to provide GDPR training or help with reviews or updates of GDPR documentation more generally.