Hell hath no fury like a Lawyer or Auditor scorned. GDPR has unfortunately put the Pensions industry in that dangerous position where we have to run a gauntlet, deciding how seriously to take the dire warnings of these two professional communities. The 25th of May 2018 trundles ever closer and we now have a far better view of what to expect.
On the one hand, GDPR has in fact generated a tremendous amount of work. On the other hand, the industry is slowly coalescing to the view that the Trust-based Pensions community is likely to sit in a relatively benign environment, as far as the GDPR is concerned.
Most Trustee Boards, Consultants and Administrators have put in place a Governance framework and detailed project plans. Those who have not should be concerned. There is a lot to think about and deliver to meet the regulation.
The next thing you should have created is detailed process maps, outlining your data flows. Royal Mail, scanning bureau’s, tracing agencies and document storage companies, all need to be considered. Data Subjects include Scheme members, contingent beneficiaries, advisors and suppliers. The data itself is extensive: names, addresses, NI numbers and bank details.
The legal basis for processing and retention data will need to be agreed over the next couple of months. The industry broadly agrees that we cannot process data on the basis of consent, as consent can be revoked. We need to be able to collect, store and process relevant data to administer the pension arrangements for our membership and cannot delete records in case we have to investigate fraud or defend against legal claims. The legal view currently is that this should be possible based on the ‘Contractual obligations’, ‘Legitimate interest’, and ‘Defence against Legal Claims’ exceptions.
However, there are questions around the processing of ill-health data without consent, though I am unsure what an administrator would do if someone receiving an ill-health pension were to withdraw consent. We also need to query whether we can send a member a transfer-out quotation at retirement or send member data to a buy-out provider, without consent.
Systems and processes need to be designed to protect data by default. This is standard for sponsors, consultants, administrators and systems providers. However, Trustee Boards must review these, especially when dealing with Trustees who are using personal email ID’s and computer equipment.
The final piece of the puzzle is updating policies, privacy notices and contracts. Information, Cyber, IT and Organisational security policies need a review. Privacy Notices need to be updated, sent to the membership and linked to at data collection points. We also need updated GDPR riders to relevant contracts. We have seen GDPR riders that run from fifteen to thirty sides of A4, replacing current two-page Data Protection clauses. As the new Data Protection Act 2018 moves through Parliament, we hope that a pragmatic view emerges, in terms of the specific legal documentation that will be required to protect all parties concerned.
Of course, the lawyers will have to do the final legal checks and the Auditors will verify whether we meet GDPR requirements. Let us keep them on side while we go through this process, to ensure that they do not unleash fire and fury upon us, the likes of which the world has never seen.
Originally written and published for Pensions Expert on February 5th, 2018.