Pensions Aspects April 2018

Data and the looming deadline...

There was a time when 25 May 2018 was a long time in the future, but that time is no longer with us. It is only a matter of weeks away now, and with that fateful day comes the General Data Protection Regulation, known to the world as “GDPR”.

GDPR is a piece of EU-wide legislation that updates data protection laws and, unusually, comes into effect without any laws being passed by the UK Parliament (this is the “Regulation” part of the title). In many ways it is nothing new: the rules are generally a sensible extension of what was there before, but it has had the world talking because the fines are bigger (up to 20 million Euros), and can be issued against everyone “processing” personal data, not just those “controlling” it.

It is this second point that has galvanised the pensions industry. The “data controllers” who are already obliged to comply, are the trustees. We all know that, historically, a lot of trustees never reviewed their agreements with their various advisers, and certainly few had the commercial power to alter them. If their actuary, or administrator, or even lawyer wanted to say that they were sending the data unencrypted to a mate in Western Samoa (or anywhere else outside the EEA), the ability of the trustees to stop them was extremely limited. So, the trustees had the data obligations, but someone else had all the power.

Of course, the number of advisers who wanted to play fast and loose with data was very small, but the new obligations have galvanised us all into action. Trustees are now being inundated with a flood of demands and requests from their advisers, all of which are supposed to be sorted by 25 May.

The schemes need to have completed their data mapping and worked out their policies and systems on a range of issues from reporting of breaches to member subject access requests. They need to have new agreements with all their processes, covering certain specific issues, and they need to have told people about their data, and how and why they hold it. An increasing number of schemes know that, probably, they are going to miss the deadline.

Is missing the deadline the end of the world? In one sense, no. The Information Commissioner’s Office (ICO) that regulates GDPR tends to take the same pragmatic view as our own Pensions Regulator. If the trustees are getting there, but don’t quite meet the deadlines for everything, the ICO is likely to be relatively relaxed; it is the direction of travel that matters. It is the schemes that are kicking back and not moving the process forward that really need to worry.

Because, in one sense, the deadline may not be the end of the world, but ignoring data protection may be. Pension trustees can sometimes assume that, because a lot of political rhetoric around GDPR is about Facebook and Big Data and Data Mining, it isn’t really about pension schemes. This seems to miss some fundamental facts about the vast amount of data held by pension schemes, much of which is sensitive (both in the GDPR and the usual sense), and which is worth a great deal of money to a range of criminals who might want it for anything from identity theft to liberation scamming. Pension schemes are increasingly the target of cyber attacks and any scheme that is relaxed about GDPR is missing the bigger picture; our industry has a lot of valuable data and we need to be looking after it.