When does the GDPR apply?

The GDPR applies to data controllers and to data processors:

• Data controllers are individuals or organisations that determine the purpose and manner of processing data. This includes pension trustees.
• Data processors are individuals or organisations that process data on behalf of data controllers (other than the employees of such data controllers). In the pensions context this could include, for example, the administrators working for pension trustees.

What you need to know

Legal basis for holding data

In order for data to be lawfully processed, that processing must be allowed under the GDPR. The GDPR sets out six main situations in which data can be lawfully processed. For pension schemes, the most relevant are likely to be:

- data is held on the basis of explicit consent given by some form of clear affirmative action (i.e., a positive opt-in). The switch from implied consent (which was allowed under the DPA) to explicit consent has been one of the more headline-grabbing changes to the data protection regime. However, trustees do not generally rely on consent as the legal basis for data processing. This is because there would be insurmountable practical difficulties with obtaining explicit consent from every member. Fortunately, and as the UK’s Information Commissioner has confirmed, although consent is one way to comply with the GDPR, it is not the only way. The changes here should hopefully not therefore cause too much alarm. The key message though is that, if consent is to be relied upon, that consent will need to be given in an explicit and clear way by the member.

- data is held on the basis of a legitimate interest. This gives trustees the ability to process data where the trustees have a genuine and legitimate reason to do so (unless this is outweighed by harm to the individual’s rights and interests). Most commentators agree this is the key justification upon which trustees will need to rely, and it is hoped this will soon be confirmed in guidance.

- data is held as it is necessary for compliance with a legal obligation. Again, it could be argued that, as trustees have a legal obligation to pay a pension to the relevant member, it is necessary for trustees to process the relevant data.

Data processors and contracts with data processors

One significant change from the current regime is that the GDPR will, for the first time, introduce obligations for data processors (currently under the DPA, only data controllers had regulatory responsibility to comply). This makes processors susceptible to fines in the same way as data controllers.

The GDPR also sets out mandatory provisions that must be included in agreements with service providers who are data processors (such as, for example, requiring confidentiality obligations for all service provider personnel who are involved, and a requirement for the service provider to make available all information required to demonstrate the service provider’s compliance).

This will mean that the contracts trustees have in place with data processors will need to be revisited.

The hope is that those service providers who are also data processors will be preparing standard amendments to their existing agreements to deal with this comfortably in advance of May 2018. However, trustees could consider raising this with their service providers proactively in order to ensure it is on their radar.

Data policies and procedures

The GDPR requires data controllers to design processes to ensure that data protection compliance is built into their operations (‘privacy by design’). There is also a requirement for the default setting in any data processing operations to be whichever is the least privacy-invasive from the individual’s perspective (‘privacy by default’).

Another key concept which runs through the GDPR is therefore ‘accountability’. This means that it will no longer be sufficient to comply with data protection requirements. Instead it will now be necessary to demonstrate compliance with the GDPR. In other words, controllers and processors could find themselves in breach if they cannot provide evidence that they have the means to comply with a GDPR requirement. For example, failure to have an appropriate data security breach policy in place could constitute a breach even where no data security breach has occurred. As a result, complying with the accountability principle is likely to entail putting in place new or updated policies and procedures that evidence compliance with the GDPR.

Record-keeping requirements

The GDPR introduces a new requirement for controllers and processors alike to keep full records of what personal data is processed, how it is processed and for what purposes it is processed.

An internal policy or policies will therefore need to be prepared to record the approach to data protection compliance, as well as governance structures to monitor, review and ensure implementation.

Data breach reporting and policy

Data controllers will be under an obligation to report certain data protection breaches within 72 hours of the breach occurring. Equally, data processors will have obligations to report breaches to controllers “without undue delay”.
In order to comply with this tight time-frame, an effective data breach response policy will need to be put into place as well as appropriate contractual arrangements to address data breach reporting.

Information notices

Members will need to be provided with detailed information notices (sometimes called ‘privacy notices’ or ‘fair processing notices’) that clearly explain how, and for what purpose, their data is processed. These will also need to include various other items of information that are specified in the GDPR.

These notices should naturally follow on from putting in place the new data policies and procedures required under the GDPR.
It should also be possible to build this information into communications that are already due to be sent to members (such as newsletters, benefit statements or other updates).

Privacy impact assessments

The GDPR requires a privacy impact assessment to be carried out where any new ‘high-risk’ processing is undertaken. This could include, for example, using a new technology, or undertaking a buy-in and buy-out where lots of data may be transferred between and processed by third parties.

In broad terms, a privacy impact assessment will need to contain (1) a description of the processing operation and its purpose; (2) an assessment of the necessity and proportionality of the processing; (3) an assessment of the risk to members; and (4) a description of the measures in place to address risk.

One simple way to deal with this would be to put in place a pro forma or template privacy impact assessment prior to 25 May 2018 as part of other GDPR compliance preparations. This will then be ready for use when needed. Good practice would be to also have in place a ‘privacy impact assessment-lite’ template to address lower-risk data processing activities.

Penalties

Maximum penalties for non-compliance with data protection requirements will increase from a current maximum of £500,000 to a much higher maximum of €10 million (or 2 per cent of global annual turnover if higher) or €20 million (or 4 per cent of global annual turnover if higher) depending on the category of infringement.

Individuals will also have the right to sue data controllers or processors for data breaches.

What can you be doing now to prepare for compliance?

Put together a data inventory

The first step is to work out what personal data is held, who holds personal data in relation to the pension scheme and how, where and for which purposes such data is processed. Not only can this serve as the record of processing activities required under the GDPR; it will also provide a clearer picture of how data is processed and where the key compliance risks requiring remediation lie.

Further thought may then need to be given to whether that data is being held by a data processor or a ‘co-controller’.

It may also be relevant to establish what types of data they have (for example, is it just names and addresses, or would it include details relating to a person’s health?).

Legal basis for processing review

Establish and record the legal basis which is being relied upon to justify the processing of members’ data.

If that basis is consent (which is relatively unlikely in the pensions context), consider whether one of the other bases could apply or consider any opportunities to seek updated or new consent through existing member communication plans.

Data protection officer

You should consider whether a data protection officer (DPO) is required. Although some high-level EU guidance is already available about this, more specific guidance is hoped for.

Under the GDPR, a DPO is needed where an organisation is “processing data on a large scale”.

The DPO’s minimum duties include: (1) informing and advising on obligations to comply with the GDPR; (2) monitoring compliance with the GDPR; and (3) being the first point of contact for the Information Commissioner and for individual data subjects.

Privacy impact assessments

As mentioned above, it may be sensible to create a template for privacy impact assessments, alongside putting in place a policy setting out when that template should be used.

Further information

Reed Smith can help you get ready for the GDPR by assisting with any of the above actions, and our pensions lawyers have been working closely with our data protection lawyers to prepare for the new regime.

Client Alert 2017-202