From the blog: Hell hath no fury like a lawyer or auditor scorned. The General Data Protection Regulation has unfortunately put the pensions industry in that dangerous position where we have to run a gauntlet, deciding how seriously to take the dire warnings of these two professional communities.
May 25 2018 trundles ever closer and we now have a far better view of what to expect.
May 25 2018 trundles ever closer and we now have a far better view of what to expect.
On one hand, the GDPR has generated a tremendous amount of work. On the other, the industry is slowly coalescing to the view that the trust-based pensions community is likely to sit in a relatively benign environment, as far as the GDPR is concerned.
Trustee boards must review systems and processes, especially if trustees are using personal email identities and computer equipment
Most trustee boards, consultants and administrators have put in place a governance framework and detailed project plans. Those who have not should be concerned. There is a lot to think about and deliver to meet the regulation.
The next thing you should have created is detailed process maps, outlining your data flows. Royal Mail, scanning bureaus, tracing agencies and document storage companies, all need to be considered. Data subjects include scheme members, contingent beneficiaries, advisers and suppliers. The data itself is extensive: names, addresses, national insurance numbers and bank details.
The legal basis for processing and retaining data will need to be agreed over the next couple of months. The industry broadly agrees that we cannot process data on the basis of consent, as consent can be revoked. We need to be able to collect, store and process relevant data to administer the pension arrangements for our membership and cannot delete records in case we have to investigate fraud or defend against legal claims.
The legal view currently is that this should be possible based on the ‘contractual obligations’, ‘legitimate interest’, and ‘defence against legal claims’ exceptions.
However, there are questions around the processing of ill-health data without consent, though I am unsure what an administrator would do if someone receiving an ill-health pension were to withdraw consent. We also need to query whether we can send a transfer-out quotation at retirement, or send member data to a buyout provider, without consent.
Systems and processes need to be designed to protect data by default. This is standard for sponsors, consultants, administrators and systems providers.
However, trustee boards must review these, especially when dealing with trustees who are using personal email identities and computer equipment.
The final piece of the puzzle is updating policies, privacy notices and contracts. Information, cyber, IT and organisational security policies need a review. Privacy notices need to be updated, sent to the membership and linked to at data collection points.
We also need updated GDPR riders to relevant contracts. We have seen GDPR riders that run from 15 to 30 sides of A4, replacing current two-page data protection clauses.
As the new Data Protection Act 2018 moves through parliament, we hope that a pragmatic view emerges, in terms of the specific legal documentation that will be required to protect all parties concerned.
Of course, the lawyers will have to do the final legal checks and the auditors will verify whether we meet GDPR requirements. Let us keep them on side while we go through this process, to ensure they do not unleash fire and fury upon us.
Girish Menezes is head of administration services at Premier Pensions Management
