Website Cookie Policy

We use cookies to give you the best possible online experience. If you continue, we’ll assume you are happy for your web browser to receive all cookies from our website.
See our cookie policy for more information.

Practice Areas

More Information

thepartners@wrigleys.co.uk

Leeds: 0113 244 6100

Sheffield: 0114 267 5588

FOLLOW WRIGLEYS:

GDPR – Practical guidance for pension trustees

June 2017

Data protection is changing significantly from 25 May 2018. We explore the changes to the law and suggest our 'Top 6 Actions for Pension Trustees'.

The current legislation (Data Protection Act 1998 (DPA)) has been in place nearly 20 years and from next year will be replaced by the General Data Protection Regulations (GDPR).  This is one matter which will not be shunted into the sidings with Brexit and full compliance will be required from day one.

So, with the starting gun fired what does this mean for pensions?

Let's start by looking at what the GDPR is? 
The GDPR replaces the DPA.  It applies to all EU member states and provides a single EU legal framework for the processing of individuals' data.  In addition (and unlike the existing legislation), it now recognises the technological advances of recent years and strengthens individuals' fundamental data protection rights.  In other words it is 'DPA plus'.

Is it all change from the DPA?
No, some aspects are retained. For example, there will still be the fundamental concepts of:-

  • data controller and processor but note that, for the first time, data processors will be liable for breaches of data protection legislation so that in many respects they will be treated in the same way as data controllers and subject to the same compliance requirements.  
  • personal and sensitive personal data although in both cases the definitions have been widened; and
  • processing in accordance with six data protection principles which look very similar to those under the DPA.

            So far, so good.    So what IS so different then? 

Put very simply, quite a lot when you start to look at how it will operate on the ground. With pensions in mind, some significant changes are as follows.

1. Personal and sensitive personal data must be processed in accordance with certain set conditions. Yes, there are similar provisions under the DPA and so there is some overlap with the current data protection requirements.  The devil is in the detail though and when you start to drill down into each requirement you see that there are some significant differences.

2. The most pertinent change for pension schemes is probably that to do with the concept of consent.  By way of reminder data processing may only occur after an appropriate legal basis for processing has been identified.  The consent of the data subject to data processing is one such legal basis.  Obtaining consent to processing personal and personal sensitive data will become much more difficult.  Existing consent provisions may not be sufficient for GDPR purposes.  It's also important to note that members have the right to withdraw consent at any time (part of the "right to be forgotten" provisions).  This could have significant operational implications for pension schemes.

3. So, if trustees don't want to (or can't) rely on consent, is there another legal basis for data processing?  Probably for pension schemes the obvious choice would be "the legitimate interests" basis, i.e. where data processing is necessary for the purposes of legitimate interests pursued by the data controller.  However, in order to comply with this, members will need to be provided with detailed privacy notices.  It's probably the case that most privacy notices at present will need to be updated to comply with the GDPR.

4. Trustees will need to review contracts with data processors (including scheme administrators) to ensure these are GDPR compliant.  This is likely to require the imposition of new terms detailing the more extensive obligations.  As a quid pro quo (and mindful of their own potential liability for breach of the GDPR), we expect data processors to seek additional indemnities from trustees.

5. And what if things do go wrong?  The time frame for the notification of data breaches will become more onerous.  Any breach will need to be notified to the Information Commission Officer without undue delay and where feasible within 72 hours of becoming aware of the breach.
And if things go really wrong then for the most serious breaches the penalties are being increased up to 20 million euros (or for commercial entities the higher of 20 million euros or 4% of global turnover).

 

 

 

If you would like to discuss any aspect of this article further, please contact Rebecca Cooke or your usual contact in the pensions team on 0113 244 6100.

You can also keep up to date by following Wrigleys Pensions team on Twitter here

The information in this article is necessarily of a general nature. Specific advice should be sought for specific situations. If you have any queries or need any legal advice please feel free to contact Wrigleys Solicitors

 

 

Rebecca Cooke View Biography

Rebecca Cooke

Solicitor
Leeds

The Yorkshire Family Business Bulletin

Thomas Wainman considers 'employee ownership' as an option for family businesses plus the usual mix of news, insights and perspectives.

Click here to view more

Proposed changes to the law on Wills and how they may affect you

We summarise proposed changes to the law on Wills (designed to encourage more people to make Wills) and the implications for lawyers and clients.

Click here to view more

Sources of finance for community-led housing

We have compiled a list of grants, loans and other finance options for community-led housing and co-housing groups.

Click here to view more

Schools Breakfast Club - 19th September

Date: 19 Sep 2017

Venue: Wrigleys Solicitors, 19 Cookridge Street, Leeds, LS2 3AG

Speaker: Lisa Armstrong, Chartered Educational Psychologist at Evolution Psychology Ltd

Further information

Breakfast Briefing - 17 October

Date: 17 Oct 2017

Venue: Radisson Blu, Leeds

Speaker: Dr John McMullen, Partner at Wrigleys Solicitors

Further information

Annual Charity Governance Seminar 2017

Date: 19 Oct 2017

Venue: Hilton City Leeds

Speaker: Sarah Atkinson , Julia Unwin CBE

Further information

Mailing list

Receive the latest news, events and updates from Wrigleys:

Follow Wrigleys: