GDPR clock ticking for pension schemes
The Information Commissioner’s Office (ICO) closes a consultation on its General Data Protection Regulation (GDPR) consent guidance today. Helen Baker, partner at Sackers, explains that now is the time for pension schemes to start preparing to comply with the looming regulation:
“The GDPR tightens the requirements which impact how pension schemes obtain member consent for the data they hold and process. Under GDPR, consent must be “freely given, specific and informed” and, once given, can be withdrawn at any time. Where consent is the legal basis for processing data, pension schemes, as holders of large amounts of member data, must check that the new requirements are met. Consent may need to be given again where the new requirements were not met and the data is still required to provide benefits.
“Schemes will need to provide more information to members about data. Members will need to be told about the purpose of processing, the legal basis for processing and who receives data. They should also be given information about transfers of data outside of the EU. How long data will be kept for will need to be explained, and so will the rights members will have under the GDPR.
“Trustees, employers and providers should kick-start their preparations for GDPR now to ensure that they are ready for the May 2018 implementation deadline. While guidance on some aspects of the GDPR is awaited from the ICO consultation, this will supplement the Regulation itself. There is currently enough detail in the Regulation for trustees to begin taking steps to comply with GPDR, by assessing the legal basis on which the data is held. This should include an audit of existing data to check what is being held, why, how long for and whether it is still needed.
“Trustees should also look at the circumstances in which data may be disclosed to external parties and seek advice on the changes needed to existing and new contracts, to ensure compliance and that terms relating to the allocation of risk and caps on risk are appropriate for data protection claims. UK schemes will not escape the Directive post-Brexit. It is expected that the UK will need something akin to GDPR in place to continue doing business in Europe.”