The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. Prior to that date, we are in a transitional period during which organisations need to prepare for compliance. There will be no further ‘grace period’ from May 2018 which means that, from that date, all affected organisations will need to be fully compliant.
The GDPR builds on the framework set out in the Data Protection Act 1998 or DPA (which we are already used to in the UK), but introduces significant new and enhanced obligations as well as substantially higher sanctions for non-compliance. It represents the biggest change in the UK/EU data protection landscape in 20 years. It is therefore inevitable that changes will need to be made to ensure GDPR compliance.
It goes without saying that the running and administration of a pension scheme requires, by its nature, the processing of a wide variety of data relating to the pension scheme’s members.
The changes in the legal requirements that cover the processing of data are therefore likely to impact on pension trustees, who will need to ensure they take action to comply.
The difficulty for pension trustees at the moment is that there is little practical guidance available from the relevant authorities as to how they should do this. It is hoped that more guidance will gradually become available (both general guidance, and pension-specific guidance as is currently being lobbied for by the pensions industry).
In the meantime, this client alert seeks to highlight the main areas where changes in practice will probably be needed.