GDPR - A brave new world for the pensions industry

After all, GDPR was conceived with data behemoths, such as Facebook, in mind.

But while pension scheme data is markedly less interesting to the likes of data analytics firm Cambridge Analytica, GDPR is no less relevant for trustees.

From May 25, pension funds too will be subject to one of the most substantial pieces of legislation to have ever come out of Brussels.

With the deadline fast approaching, schemes are having to make sure they are prepared for a disciplinary regime that threatens to levy maximum fines of €20m (£17.5m).

We’re all focusing on May 25 as though the world stops on that day. And in fact, that’s when the new world starts

Jane Beverley, XPS Pensions

The regulation, which replaces the Data Protection Act, will require trustees to anonymise member data and discourages the use of personal email addresses for their scheme work.

It stresses that personal data may only be retained as long as necessary for the purpose of processing. Data must also be processed on a basis of consent.

As far as pension schemes are concerned, it is clear that trustees would rather hold onto member data for as long as possible, if not forever. Ongoing guaranteed minimum pension equalisation is just one example of the need for schemes to store data for decades.

An opportunity to enhance security

The behaviour of trustees in relation to their management of member data yields is important. Boxes in trustees’ garages, filled with folders containing information on their members, are unlikely to be GDPR-compliant.

The new rules need not be viewed as a threat to trustees, who will be viewed as ‘data controllers’. Hugh Nolan, senior trustee representative at Dalriada Trustees, says GDPR is “a fantastic opportunity” for trustees to clean up their act.

Mindful of minimising the costs involved with ensuring compliance, he says that trustees should “take the opportunity to enhance security to modern standards”.

Research by management consulting firm Sia Partners suggests that the average FTSE 100 company will have to pay £15m to achieve GDPR compliance.

Schemes will not be burdened with anything close to that. But it is tempting to get carried away with preparations, and Nolan called for a pragmatic perspective on schemes moving towards a state of readiness. “There’s always more you can do to protect the data,” he says.

Data retention concerns

Central to GDPR is the question of data retention – how should trustees process data, and how long should schemes be able to keep personal information?

David Brooks, technical director at consultancy Broadstone, sees a role for employers to assist trustees with lawful data processing.

From May 25, trustees will be viewed dimly for using personal email addresses to handle member data. He said that some are exploring the use of encrypted communications platforms such as Slack and WhatsApp.

Employers are even considering offering their own infrastructure in support of their schemes. “I’ve got one employer that’s thinking about giving ex-employees that are now trustees an email address, [so] that they can use the company’s email system,” he says.

However trustees elect to guard the personal data of their members, they will not in theory be allowed to keep this information ad infinitum.

According to the Information Commissioner’s Office, principle five of the regulation requires data handlers to keep information “no longer than is necessary for the purpose you obtained it for”.

Ian Neale, director at pensions intelligence service Aries Insight, is aware of an organisation that recently circulated an instruction against the retention of data for more than six years.

He says: “In the context of pensions, you can imagine the damage that would be caused if a pension scheme threw out all its files once they were more than six years old,” calling it a “ludicrous idea”.

“Pension schemes, frankly, are going to need to retain data about their members and beneficiaries until the last beneficiary has died,” he says, adding “that could easily be a hundred years”.

How would you fine a pension scheme?

It remains to be seen whether schemes will have to justify retaining data for a century to the ICO.

Should the ICO find a scheme non-compliant, it will face the prospect of being stung by one of two levels of fines.

Under GDPR, more minor infringements may see companies fined up to ¤10m or 2 per cent of their turnover, while more serious incidents could see punishments of ¤20m or 4 per cent of turnover – in both cases, whichever is higher.

John Gordon, counsel at law firm Ashurst, spots a major flaw in this regime with regard to pension schemes. “Pension schemes obviously don’t have a turnover,” he says.

Gordon identified the trustees, the employer, and scheme assets as plausible, if unlikely, targets for fines.

Should the ICO levy fines against trustees, professional or otherwise, they will risk driving volunteers from the role, he says.

The employer would be an unjust recipient of a fine, given their lack of involvement with the scheme data management. To fine scheme assets would amount to punishing the members, which would also be unfair.

“I don’t think that the fine system is likely to be applied to the pensions industry,” he says.

In 2016-17, the ICO resolved over 17,300 data protection cases. Over the year, it issued 16 fines.

“I think that what we’re going to actually see is a system of warnings, reprimands or corrective orders,” Gordon says.

Stephen Scholefield, pensions partner at law firm Pinsent Masons, recognised the lack of clarity for pension schemes over this part of GDPR, but criticised “scaremongering” over the fines regime.

“With all sorts of new changes in law, one imagines that at least for the first few years, provided that trustees can show that they’ve tried to address GDPR and done some sensible steps, we imagine that the Information Commissioner would focus on helping people put things right,” he says.

Schemes are therefore unlikely to face eye-watering fines for the mismanagement of member data. Scholefield also shares the view that they will be within their rights to keep information in the long term.

“It’s hugely legitimate to conclude that ‘as long as necessary’, pretty much means forever,” he says.

Entering a brave new world

It is also fair to conclude that, in spite of the evident mismatch between GDPR and pensions, the industry appears to be broadly on track with the ICO’s expectations.

On the face of it, legislation designed to prevent the exploitation of personal data for commercial gain may not suit the pensions industry.

Arguably, though, the industry is becoming more able to respond to sweeping demands over data management in such a way that makes it inherently compatible with GDPR.

Rosalind Connor, partner at Arc Pensions Law, says that owing to the nature of member data, years of regulatory pressure and a painful recent history of security breaches, the world of pensions is ahead of comparable industries when it comes to prudent data management.

While urging against complacency, she says, “I think the whole industry has been aware of the risk of cyber-attack in a way maybe loads of other people haven’t”, adding, “we all know in pensions that old sins have long shadows”.

Jane Beverley, principal and head of research at consultancy XPS Pensions, recognises the aspects of GDPR that are geared towards data giants.

These include the right to be forgotten, which “obviously doesn’t work in a pension scheme context”, she says, because schemes would be subsequently unable to pay benefits to the ‘forgotten’ member.

For Beverley, some of the most profound changes brought about by GDPR will relate to the long-term frequency of document reviews, and how often schemes will refresh their consent to sensitive data.

“We’re all focusing on May 25 as though the world stops on that day. And in fact, that’s when the new world starts.”