PMI Crest
PMI
5 April 2018

Pensions Aspects April 2018

A false sense of security? Read the latest issue on GDPR and Cyber security: how robust is your approach?

Data and the looming deadline...

There was a time when 25 May 2018 was a long time in the future, but that time is no longer with us. It is only a matter of weeks away now, and with that fateful day comes the General Data Protection Regulation, known to the world as “GDPR”.

GDPR is a piece of EU-wide legislation that updates data protection laws and, unusually, comes into effect without any laws being passed by the UK Parliament (this is the “Regulation” part of the title). In many ways it is nothing new: the rules are generally a sensible extension of what was there before, but it has had the world talking because the fines are bigger (up to 20 million Euros), and can be issued against everyone “processing” personal data, not just those “controlling” it.

Pensions Aspects April 2018
Pensions Aspects April 2018

It is this second point that has galvanised the pensions industry. The “data controllers” who are already obliged to comply, are the trustees. We all know that, historically, a lot of trustees never reviewed their agreements with their various advisers, and certainly few had the commercial power to alter them. If their actuary, or administrator, or even lawyer wanted to say that they were sending the data unencrypted to a mate in Western Samoa (or anywhere else outside the EEA), the ability of the trustees to stop them was extremely limited. So, the trustees had the data obligations, but someone else had all the power.

Of course, the number of advisers who wanted to play fast and loose with data was very small, but the new obligations have galvanised us all into action. Trustees are now being inundated with a flood of demands and requests from their advisers, all of which are supposed to be sorted by 25 May.

The schemes need to have completed their data mapping and worked out their policies and systems on a range of issues from reporting of breaches to member subject access requests. They need to have new agreements with all their processes, covering certain specific issues, and they need to have told people about their data, and how and why they hold it. An increasing number of schemes know that, probably, they are going to miss the deadline.

Is missing the deadline the end of the world? In one sense, no. The Information Commissioner’s Office (ICO) that regulates GDPR tends to take the same pragmatic view as our own Pensions Regulator. If the trustees are getting there, but don’t quite meet the deadlines for everything, the ICO is likely to be relatively relaxed; it is the direction of travel that matters. It is the schemes that are kicking back and not moving the process forward that really need to worry.

Because, in one sense, the deadline may not be the end of the world, but ignoring data protection may be. Pension trustees can sometimes assume that, because a lot of political rhetoric around GDPR is about Facebook and Big Data and Data Mining, it isn’t really about pension schemes. This seems to miss some fundamental facts about the vast amount of data held by pension schemes, much of which is sensitive (both in the GDPR and the usual sense), and which is worth a great deal of money to a range of criminals who might want it for anything from identity theft to liberation scamming. Pension schemes are increasingly the target of cyber attacks and any scheme that is relaxed about GDPR is missing the bigger picture; our industry has a lot of valuable data and we need to be looking after it.

back to Pensions Aspects Magazine

Last update: 10 September 2020

Rosalind Connor
ARC Pensions Law
Partner

Assistant Company Secretary - Financial Institution

Salary: £55000 - £65000 pa

Location: London

Risk Integration Manger - Pensions

Salary: £45000 - £80000 pa

Location: London

HR Business Partner (permanent home working option)

Salary: £72000 pa

Location: Home Working / Surrey

You may also like:

The long-term impact of Covid-19 for DC pensions
11 September 2020

The long-term impact of Covid-19 for DC pensions

What does the future hold for Defined Contribution (DC) pensions in a Covid-19 world?

Read more
To go the extra mile? Facilitating financial advice for DB scheme members seeking to transfer out
11 September 2020

To go the extra mile? Facilitating financial advice for DB scheme members seeking to transfer out

“Despite our previous interventions, both with individual firms and across the sector, we think the risk of harm from unsuitable advice remains unacceptably high.” FCA, Policy statement on pension transfer advice (June 2020)

Read more