How to protect pensions data ahead of changing regulations

The new EU General Data Protection Regulation, expected to come into force in 2017 or 2018, will have significant implications for how employers handle data, and pension schemes in particular.


If you read nothing else, read this…

  • Employers will have to assess their approach to protecting employee data, including that which is processed through pension schemes.
  • Ensuring compliance for all members of a workplace pension scheme will be a big issue for employers.
  • Employers should review their position now in order to be adequately prepared. 

The regulation introduces a number of changes to the current data protection regime. These include tougher sanctions for breaches of rules, stricter notice and consent rules, new obligations on all data controllers to notify breaches and greater emphasis on a data controller’s accountability.

Comron Rowe, a partner at Temple Bright, says: “Employers will need to toughen up their approach to data protection and the way it applies to their employees and pension arrangements, including introducing more comprehensive data protection policies and procedures and taking non-compliance more seriously. Many employers may even need to appoint a dedicated data protection officer with expert knowledge of data protection law and practices.”

New obligations

In practice, this will create several new obligations on those who are seen as ‘data controllers’, particularly trustees, warns Nicola Fulford, head of data protection and privacy at technology and digital media law firm Kemp Little. “It is likely that some of the new obligations will involve the trustees providing more comprehensive information to individuals before beginning any processing,” she says. “There will also need to be increased internal administration, to be able to demonstrate compliance, or accountability. This would include implementing and maintaining detailed records of all processing activities, appointing a data protection officer to oversee the pension scheme’s data protection practices and, where appropriate, for example when considering a new computer system, using tools such as ‘privacy impact assessments’ and ‘privacy by design’ in these projects.”

Where external administrators have been appointed to run pension schemes, trustees must also review contracts to reflect the new obligations for the administrators, adds Fulford.

Employers must ensure compliance

The biggest issue for many employers will be how to ensure compliance across the range of active, deferred and pensioner members. Helen Powell, counsel in Allen and Overy’s pensions practice, says: “Current best practice is to get express consent to data processing when a member joins the scheme, and to frame the consent widely to cover possible future changes of provider, administrator or scheme sponsor,” she says. “But where this was not done, and where schemes are already reliant on implied or negative consent to carry out the data processing required, this could mean a large-scale effort to obtain explicit consent.”

Auto-enrolment has further complicated this because those joining schemes do not need to give consent as a condition of joining, but this exception will not last for the duration of a member’s lifecycle. “It seems likely that the net result is to store up further consent issues for the future,” Powell says.

Other practical issues include the extension of the notice requirement of the current directive with the addition of new fields of required information, meaning employers will have to review and amend existing notices. Ann Bevitt, a partner at law firm Cooley, explains: “If employers fail to meet these new stricter requirements they may be fined up to €100m or 2–5% of annual worldwide turnover; whichever is greater.” 

Data protection breaches

In the event of any data protection breaches, employers will be forced to act immediately. Monica Cope, chief operating officer at data management firm Veratta, says: “Organisations must notify the relevant data protection authority of the incident occurring without undue delay, and the data subjects themselves must be notified if there is likely to be an adverse effect. The data protection authority will maintain a public register of the types of breaches notified. As such, scheme trustees and their advisers should consider their communication strategies to ensure that all legal and contractual obligations are adhered to, and that any correspondence with members, media and public interfaces are appropriately managed.”

For now, employers need to focus on planning to ensure they are ready for the eventual introduction of the regulation. “This will very likely be agreed this year and then come into force two years later,” says Fulford. “However, updating and improving internal compliance processes and external-facing documentation in order to be able to meet the new standards will take some time and effort, so trustees should start reviewing their current position and planning remediation activities soon.”