PMI Crest
5 April 2018

Pensions Aspects April 2018

A false sense of security? Read the latest issue on GDPR and Cyber security: how robust is your approach?

Data and the looming deadline...

There was a time when 25 May 2018 was a long time in the future, but that time is no longer with us. It is only a matter of weeks away now, and with that fateful day comes the General Data Protection Regulation, known to the world as “GDPR”.

GDPR is a piece of EU-wide legislation that updates data protection laws and, unusually, comes into effect without any laws being passed by the UK Parliament (this is the “Regulation” part of the title). In many ways it is nothing new: the rules are generally a sensible extension of what was there before, but it has had the world talking because the fines are bigger (up to 20 million Euros), and can be issued against everyone “processing” personal data, not just those “controlling” it.

Pensions Aspects April 2018
Pensions Aspects April 2018

It is this second point that has galvanised the pensions industry. The “data controllers” who are already obliged to comply, are the trustees. We all know that, historically, a lot of trustees never reviewed their agreements with their various advisers, and certainly few had the commercial power to alter them. If their actuary, or administrator, or even lawyer wanted to say that they were sending the data unencrypted to a mate in Western Samoa (or anywhere else outside the EEA), the ability of the trustees to stop them was extremely limited. So, the trustees had the data obligations, but someone else had all the power.

Of course, the number of advisers who wanted to play fast and loose with data was very small, but the new obligations have galvanised us all into action. Trustees are now being inundated with a flood of demands and requests from their advisers, all of which are supposed to be sorted by 25 May.

The schemes need to have completed their data mapping and worked out their policies and systems on a range of issues from reporting of breaches to member subject access requests. They need to have new agreements with all their processes, covering certain specific issues, and they need to have told people about their data, and how and why they hold it. An increasing number of schemes know that, probably, they are going to miss the deadline.

Is missing the deadline the end of the world? In one sense, no. The Information Commissioner’s Office (ICO) that regulates GDPR tends to take the same pragmatic view as our own Pensions Regulator. If the trustees are getting there, but don’t quite meet the deadlines for everything, the ICO is likely to be relatively relaxed; it is the direction of travel that matters. It is the schemes that are kicking back and not moving the process forward that really need to worry.

Because, in one sense, the deadline may not be the end of the world, but ignoring data protection may be. Pension trustees can sometimes assume that, because a lot of political rhetoric around GDPR is about Facebook and Big Data and Data Mining, it isn’t really about pension schemes. This seems to miss some fundamental facts about the vast amount of data held by pension schemes, much of which is sensitive (both in the GDPR and the usual sense), and which is worth a great deal of money to a range of criminals who might want it for anything from identity theft to liberation scamming. Pension schemes are increasingly the target of cyber attacks and any scheme that is relaxed about GDPR is missing the bigger picture; our industry has a lot of valuable data and we need to be looking after it.

back to Pensions Aspects Magazine

Last update: 10 September 2020

Rosalind Connor
ARC Pensions Law

Senior Pensions Administrator

Salary: £40000 pa

Location: London (City), (currently home working with long-term remote working an option)

Pensions Covenant Consultant

Salary: £70000 pa

Location: Various office locations around the UK an option alongside home working

Pensions Covenant Senior Associate

Salary: £55000 pa

Location: Various locations across the UK alongside partial home working also an option

You may also like:

Pensions Aspects January 2021
06 January 2021

Pensions Aspects January 2021

Positivity is a superpower. Read the latest issue on succeeding in a post pandemic world.

Read more
Long term funding: start with the end in mind
06 January 2021

Long term funding: start with the end in mind

As we emerge from a COVID world, setting long-term funding targets is a key 2021 focus for trustees. Galvanised by The Pensions Regulator (TPR)’s. new Defined Benefit (DB) funding code of practice, trustees and sponsors need to pay acute attention to the maturing status of their DB schemes. TPR expects trustees to determine a clear journey plan towards a lower risk position as they close in on their goal.

Read more