Taking stock of GDPR one year on
With 25 May marking the anniversary of the introduction of the General Data Protection Regulation (“the GDPR”), Sackers has set out the key areas that trustees and employers should still have high on their agendas.
Helen Baker, Partner at Sackers, said: “The last 12 months have been very busy on the data protection front. Schemes have been working on compliance, risk management and dealing with data protection in practice – for example, when members make data subject access requests or if a breach occurs. One year on is a good time to take stock on data protection. Has all compliance work been completed? Has work done in the last year meant that real life experience can be drawn on, and has new and updated guidance from the Information Commissioner’s Office (ICO) been considered? Data protection compliance and risk management is an ongoing challenge for schemes and now is a good time to review and update.
“Some specific areas that are worth having on the review checklist are:
- Audit / record keeping: trustees are required to keep an up-to-date record of their personal data processing activities. Many trustees will have used the information gathered as part of their data audit exercise in the run-up to May 2018 as a platform for this. The ICO has also issued guidance and basic templates to help data controllers and data processors to meet their record keeping obligations. But, given the sheer volume of personal data held by trustees and their advisers, this remains a complex area for schemes so legal input may be required.
- Compliant contracts: all data controllers must have binding GDPR-compliant contracts in place with any data processor whose services they engage. Finalising contracts should be a priority for trustees as unagreed terms pose certain risks, including potential sanctions from the ICO. Ensuring appropriate data protection provisions are in place should also be a key consideration when making any new appointments.
- Data protection policies and procedures: this is a good time for trustees to revisit their data protection policies and procedures, reviewing and updating them (as required) in light of experience over the last 12 months, especially in relation to data subject access requests and breaches.
- Documenting the legal basis for processing: as data controllers, trustees need to ensure that they have a legal basis for holding all scheme personal data, bearing in mind that there may be one and it may change over time. When relying on “legitimate interests” (i.e. that the processing is necessary for the purposes of legitimate interests pursued by the trustees or a third party, such as the effective running of the scheme), a “legitimate interests assessment” should be considered to help evidence compliance. The ICO has published guidance and a sample template which can help here.
- Cyber security: cyber risks pose a serious and ever-present danger to organisations reliant on their information technology systems and processes. TPR’s guidance on “cyber security principles for pension schemes” recognises this, highlighting the need for trustees to have processes in place to address cyber risks and encouraging them to actively engage with their advisers on this ever-increasing threat.”
Baker added: “As data protection compliance is ongoing, schemes should address how this will be managed going forward. To ensure that data protection does not slip off the radar and become a significant risk because it is not being managed, schemes should consider who is responsible for maintaining compliance, how often reviews will be carried out and how frequently training needs to be refreshed. This should be logged in the data protection policy and other relevant documents, such as the scheme’s business plan.”