Pension schemes must use the next 12 months to review and update data protection practices, industry experts have urged, ahead of new rules which could result in huge fines for trustees.
The EU’s General Data Protection Regulation is due to be implemented on May 25 2018. It will require data controllers to obtain consent to collect sensitive data, and to take adequate steps to protect it.
Experts said that any neglect of data security could make schemes vulnerable to fines under the new regime, which can reach a maximum of €20m (£17.3m) or 4 per cent of annual global turnover – whichever is higher – for the most serious of breaches.
Trustees, as data controllers, could potentially find themselves on the hook if the responsibility ultimately falls at their door
Naomi Brown, Sackers
Despite the UK’s impending exit from Europe, the British government is expected to pass a similar law, to facilitate provision of services across borders.
“With only 12 months to go until implementation it is important that pension schemes are aware of the regulation and consider what changes they may need to make in light of it,” said Matthew Burrell, senior policy adviser for defined contribution at the Pensions and Lifetime Savings Association.
“The GDPR will create new rules around breach disclosure and put a greater emphasis on accountability and transparency,” he added.
What's new?
Under the regulation schemes will be recognised as data controllers, while administrators and third parties who use scheme data would be data processors.
The Information Commissioner's Office, responsible for enforcing the requirements, can levy fines against controllers, processors, or both, depending on the circumstances of a breach.
“It seems possible that trustees, as data controllers, could potentially find themselves on the hook if the responsibility ultimately falls at their door,” said Naomi Brown, associate director at law firm Sackers.
Fines would be capped at the higher of €20m or 4 per cent of annual turnover. Brown was unsure how the turnover rule would be applied to a scheme, but said that large fines were likely to be reserved for serious breaches where data systems were entirely inadequate.
To mitigate the risk of paying for a third-party error, “trustees should also look at their indemnity and insurance arrangements to check what protection they have in place,” she said.
Locking down data
Some schemes may keep legacy member data in paper format. Brown said this did not present a problem under GDPR as long as security measures are in place, but added: “In practice they may find it easier to keep scheme data secure if it is all held electronically.”
She said that most schemes had robust data security practices, but these should be reviewed in light of GDPR.
If a scheme suspects that a breach may have occurred, it will be required to report it to the ICO and to members concerned. Failure to do so could result in further fines.
Ruaraidh Thomas, managing director of analytics company DST, said this could stretch the resources of businesses and schemes alike, and that trustees should be alert to further updates in the coming months.
“I’m not entirely sure people can be ready today because there is still some guidance required from the ICO,” he said.
“I don’t think people should be scared of GDPR,” he reassured, calling the measure “an opportunity for [schemes and their administrators] to become more effective as an entity and in combination”.
Reputation at stake
GDPR will also have a significant impact on the asset management industry, which under the Markets in Financial Instruments Directive II could hold more data than ever before, according to Lorraine Mouat, senior regulatory consultant at regulatory adviser TCC Group.
Alongside the harsh financial penalties, reputational damage from a security breach could undermine faith in both managers and their pension scheme clients.
“The Information Commissioner’s Office will publish any successful prosecutions or sanctions related to data security breaches, and in this world of social media it wouldn’t take long for this information to spread,” said Mouat.
“Anyone who processes personal data needs to be aware of their requirements under GDPR, so all parties should enter into a dialogue to ensure they are compliant and start negotiating contracts etc to include the relevant clauses in time for its implementation,” she added.
