Major changes from May 2018
Trustees, employers and pension scheme administrators will be affected by major changes in data protection law from May 2018. They need to ensure their procedures for handling data comply with the new requirements.
Changes will be required to administrative procedures, scheme administration agreements and member communications.
The changes are the result of the EU's new General Data Protection Regulation (GDPR). This aims to create a uniform set of data protection rules across the EU in place of the current patchwork of national regimes.
If the UK is outside the EU, the GDPR will not apply directly to it. But if it wants to trade on equal terms in the single market, the UK will need data protection standards equivalent to the GDPR.
Among the key changes for those involved in pension schemes:
- A higher threshold for an individual's consent to processing their personal data: consent must be "freely given, specific, informed and unambiguous" and, in relation to sensitive data, "explicit".
- Greater rights for individuals, including access rights and a right to be forgotten in certain circumstances.
- Wider territorial scope: organisations outside the EU that handle EU data subjects' information will need to comply with the new EU law as well as local law. This could affect multi-national groups and third party administrators.
- Compliance obligations imposed directly on data processors, not just data controllers.
- More internal record keeping required of data controllers and processors of their processing activities.
- Stronger reporting requirements: data controllers must notify the Information Commissioner's Office (ICO) of breaches within 72 hours.
- Higher penalties for breaches of the law: today the maximum fine is £500,000; in future it will be the greater of 4% of annual worldwide turnover and €20 million.
The ICO has a dedicated Data Protection Reform area on its website. This sets out the programme of work planned at national and EU level to raise awareness of the changes and to provide guidance to those affected.
Safe Harbour to Privacy Shield
The EU and the US government continue to work to agree a new data protection standard for US bodies processing or accessing EU data subjects' personal data. This follows the invalidation of the US's Safe Harbour measures at the end of last year.
Transfers of EU data subjects' personal data outside the EEA need to be done on terms that ensure EU data protection standards are observed. The same applies where data is accessed from outside the EEA. Late last year the European Court found the US's Safe Harbour measures were not to the right standard. This meant data transfers under them did not comply with data protection law. The Safe Harbour was not the only way data transfers to the US were lawfully made but it was widely relied on.
The proposed replacement measures are being referred to as the "Privacy Shield".
While work on it continues, our general advice to clients affected by the invalidation of Safe Harbour is to try to agree a switch to the EU model data transfer agreement with their US counterparties (and other group companies, as appropriate).
When the Court made its decision, the UK Information Commissioner immediately recognised it will take organisations some time to ensure that their transfers of data to the US comply with data protection law.