Sarah Henderson: What pension scheme employers should be prioritising in terms of GDPR

Pension scheme employers and trustees spent many hours getting ready for the revamped data protection regime that came into force on 25 May 2018. What’s new in the data protection landscape and what should pension scheme employers and trustees be prioritising three years later?

First, mapping your data footprint remains a central pillar of data protection compliance. As a data controller, employers and trustees must ensure that the personal data they control is adequately protected. This usually means having appropriate contracts with your providers and having up-to-date technological and organisational security measures in place.

Without understanding who has your data, why and where the data may be held – as well as how far travelled it might be – it’s practically impossible to put appropriate protections in place or to check that they remain fit for purpose. This would be a good time to take stock, update data maps and check that all data flows are suitably secure.

Second, it’s important to know whether you are responsible for any international transfers of personal data as you may need to put additional contracts in place to protect them. The data protection landscape on international transfers has changed in two material ways over the last year.

Following the European Court’s decision in Schrems II in July 2020, data transfers to the US under the EU-US Privacy Shield framework are no longer considered to be appropriately protected. Separately, the UK’s Brexit transition period ended at the end of December 2020. The temporary bridge that currently allows the continued free flow of personal data to the UK from the European Union falls away at the end of June 2021.

If no adequacy decision from the European Commission is forthcoming by then, organisations may well need to act swiftly to protect these data flows. The Information Commissioner’s Office is recommending that organisations put alternative safeguards in place now, just in case an adequacy decision fails to materialise.

Third, employers and trustees need to check the cyber resilience of their pension schemes. We know pension schemes are an attractive target for cyber criminals. Since the pandemic hit, increased reliance on remote access technologies has created new vulnerabilities for pension schemes. Asking your providers and advisers how they guard against, spot and thwart cyber-attacks has never been more crucial.

Sarah Henderson is a senior associate at Sackers