The General Data Protection Regulation (GDPR) introduces more stringent requirements for contracts between data controllers and data processors than are currently in place. Pension trustees are data controllers of the personal data they hold and use to run their schemes. To be fully compliant with the GDPR, trustees will need to make sure they have written contracts in place with their data processors that contain certain prescribed provisions ahead of 25 May 2018. Here are some key questions to consider.
Firstly, who are data processors? A data processor is an organisation that processes personal data on behalf of a data controller. In the pensions context, a key data processor is the scheme administrator. This may be a third-party or an in-house team.
Trustees are likely to need to carry out a scheme data audit of some sort to ensure they understand how and why each of their partners and providers uses the scheme’s personal data. This exercise will help trustees work out who their data processors are.
Next, what do contracts with data processors need to include? The GDPR contains a long list of provisions that all data processors must sign up to. Broadly, these fall into three categories: those that set out what personal data is processed and why; those that place certain restrictions on the way the data processor can operate, for example, to have in place appropriate security measures, and those that force the data processor to cooperate with the data controller in certain circumstances. This could include to assist the data controller in responding to a data breach.
Another question to consider is how can trustees get contract updates off to a good start. Trustees need to understand how and why each of their partners and providers uses the scheme’s personal data. Trustees are likely to find that the most effective approach is to have an informal discussion to agree what data processing is happening and what data protection roles each party plays in practice.
Trustees should also establish what they want to achieve with the contract update process. Are they interested in GDPR-compliance only, building in other data protection measures, such as certain data security standards, or revisiting liability provisions?
Lastly, how and when should the updating process start? This will depend on the approach that the parties wish to take. For example, some trustees may want their third-party processors to take the lead by proposing amendments to existing contractual terms; others may want to use the approach of the sponsor’s corporate group. It may make most sense for the party who drafted the existing contractual terms to be the one who takes a lead on proposing amendments.
Whatever approach is used, trustees will want to take time to understand, and perhaps negotiate, any new terms and, if they have not already done so, now is the time to start this process. A practical first step would be to contact the parties you believe are your data processors, agree what data processing is happening in practice and make a plan with them for updating relevant contracts.
Sarah Henderson is senior associate at Sackers