GDPR: Why trustees need to take notice

This change will have an impact on the way pension schemes can lawfully collect, use, retain and share information about members. Schemes should start preparing for compliance with the GDPR as soon as possible, or they may risk facing fines of up to €20m (£17.6m).

Widened definitions

The definition of personal data is much wider under the GDPR than under the current Data Protection Act 1998. Personal data means any information about an individual where that person can be identified directly or indirectly from the data. This includes where that individual is identifiable from a unique identifier such as a pension scheme membership number.

Data must be processed in a lawful, fair, and transparent manner

There are tighter restrictions on the processing of special categories of personal data, currently known as “sensitive data”. These categories include race or ethnic origin, political opinions, sexual orientation, and biometric data.

The definition of data processing is also widened and includes all processing, whether or not by automated means. Trustees need to ensure they are aware of what data they are processing in respect of scheme members, and they should create a record specifying whether the data is personal data and whether it is in a special category of personal data. A data policy should also be produced.

Lawful and transparent

Data must be processed in a lawful, fair, and transparent manner. This means either the consent of the member is obtained, or the processing is necessary for the purposes of the legitimate interests of the trustees or third parties.

If the lawful basis is consent, trustees should make sure that the processes for seeking, obtaining, and recording consent meet the higher standards in the GDPR. Consent can be withdrawn at any time, but in practice, it may be difficult for members to withdraw consent where this is necessary to protect their legitimate interests.

If “legitimate interests” is the basis for lawful processing, trustees should ensure they are clear what those interests are, and that processing on that basis is not overridden by the interests or fundamental rights and freedoms of the members. Trustees should also consider whether the data held is really necessary in order to pursue those legitimate interests.

Currently, trustees must ensure that members are given fair processing information. Under the GDPR members will have the right to much more detailed information from the trustees in relation to the processing of their data.

Increased accountability

It is important that trustees review and update privacy notices provided to members so that they contain the correct information, are provided at the right time, and are appropriately written in a clear and concise form.

Trustees can be liable for breaches of GDPR as a result of their own actions or those of data processors, so they should make sure they are adequately protected under contractual arrangements with data processors and trustee liability insurance policies.

They will also need to keep records to demonstrate they have complied with the GDPR. Adequate policies and procedures should be put in place to show that trustees have thought in advance about how data will be processed and which data is necessary to hold regarding individuals.

The coming months provide pension schemes and their administrators with the opportunity to get ready for full compliance with the GDPR. With less than one year until implementation, now is the time for trustees and employers to prepare for the changes.

Claire Bell is a partner at law firm DLA Piper