Schemes must start preparing now for data regulations coming into force next year, says Naomi Brown
A new European General Data Protection Regulation (the “GDPR”) will introduce significant changes to data protection requirements from 25 May 2018. Although many of the GDPR’s requirements are similar to existing data protection provisions, it raises the bar in a number of ways.
The UK is expected to opt in to the GDPR while the details of its Brexit negotiations are being thrashed out. However, something akin to the GDPR will no doubt need to be in place in the long term to facilitate the UK doing business in Europe.
What will pension schemes need to do?
Pension schemes hold and process a lot of data and they may need to make a number of changes to meet the new requirements.
Many schemes will need to audit their data to check what data they hold, where it is held, why it is being held, how long it has been held for and whether it is still needed.
They are also likely to need to:
- give members more information about how their data is processed
- change the way they obtain individuals’ consent to data processing
- update their service contracts
- update their data protection policy
- establish robust new processes for managing breaches
When do you need to start?
While we are still waiting for guidance on some elements of the GDPR, pension schemes should start preparing as soon as possible to ensure they are ready by May 2018. Otherwise they could risk falling foul of the new requirements.
Our top 10 practical steps to get you started
There could be a lot of work to do to get ready for the GDPR and trustees and pensions managers may be unsure where to begin. However, there are a number of practical steps they can take to kick-start their preparations. Our top ten are:
- Undertake training to ensure you understand your roles and responsibilities under the GDPR
- Contact your sponsoring employer to explore whether you can “piggy-back” on their preparations and to what extent you may need to join up with their approach
- Contact your administrator and actuarial advisers (who will hold and process a lot of your scheme data) to ask how they are preparing for the GDPR
- Develop a framework for your data audit so you can ask the right questions and assess the results
- Check whether you have a data protection policy and when it was last updated
- Check what you have told individuals about how their data will be processed (for example, what have you said in the scheme booklet and on scheme forms and letters?)
- Check when and how you obtain consent to data processing
- Identify all your service providers who are handling scheme data and get copies of your contracts with them
- Think about what advice and support you will need, line up your advisers and any other resources and consider putting together a working group to take this forward
- Prepare a project plan with key steps and timescales to keep everyone on track
Naomi Brown is associate director at Sackers