EU: A New Data Protection Regime Is Coming

By Jason Coates © Gowling WLG Apr 24, 2017

​The pensions industry has one year to prepare for new EU regulations coming its way. Europe's new data protection legal framework is set out in the General Data Protection Regulation (GDPR), which will come into force in all EU Member States on May 25, 2018, including the U.K. While the changes are not radically different to the current legal requirements, there are important developments that the pensions industry needs to be aware of ahead of May 2018.

Key Points

1. A new EU data protection regime comes into force in May 2018. The GDPR will come into force in all EU Member States on 25 May 2018.

2. The GDPR will apply to the U.K. and is likely to apply after the U.K. leaves the EU. The U.K. will still be a Member State of the EU on 25 May 2018. The GDPR comes into effect for all Member States, and so will come into force in the U.K. The U.K. will retain the GDPR following Brexit. 

3. The GDPR is evolutionary rather than revolutionary. The GDPR does not mark a radical departure from the current data protection regime (i.e., in the U.K. under the Data Protection Act 1998 (DPA)). There are, however, certain key changes that will focus attention in the pensions industry.

4. There are four key developments that will affect the pensions industry the most. The GDPR contains four key developments that trustees, employers and the pensions industry will need to grapple with. These are:

  • More detailed privacy notices, while still being concise and easily understood.
  • Overlapping controller and processor obligations, especially around security.
  • Mandatory breach notification to regulators and members.
  • More severe sanctions for noncompliance.

What's Happening on Data Protection?

Regardless of the progress of Brexit negotiations, it is very likely that the U.K. will still be a Member State of the EU on May 25, 2018. The GDPR will therefore apply to data controllers and processors in the U.K. on and from this date and the Great Repeal Bill will translate the GDPR into national law.

The Information Commissioner has also made it clear she expects that the U.K. will want to keep in step with European data protection standards after we leave the EU in order to facilitate cross-border transfers but also as many U.K. controllers and processors will process personal data of European citizens and are therefore caught by the GDPR in any event as it has extraterritorial effect.

Pension scheme trustees will, therefore, need to comply with the GDPR from May 25, 2018.

With just over one year to go until the GDPR goes into force, it is now time to map your data flows and start reviewing current policies, procedures, systems and practices and ensuring you understand your data protection obligations.

The new law is not as radical a departure from the old law as might have been feared. Broadly speaking, data processes that are lawful under the U.K.'s DPA are likely to remain lawful under the GDPR. This should provide some comfort to trustees to the extent they are compliant with the current legal requirements. This is, however, subject to four important changes that are particularly relevant to pension schemes.

What Are the Key Changes for Pensions Under the GDPR?

1. More detailed privacy notices. The requirements relating to privacy notices under GDPR are more detailed and specific than under the DPA and place more emphasis on making them understandable and accessible. Privacy notices will need to contain additional information, such as details of the legal basis for the processing of the personal data that is held.

Existing privacy notices will therefore need to be reviewed and updated accordingly.

2. Overlapping controller and processor obligations, especially around security. Under the GDPR, data processors (i.e., those who process personal data on behalf of a data controller, such as a scheme administrator) will, for the first time, be subject to direct legal obligations. This significant exposure to additional legal liability will make compliance a higher priority among actuaries, employee benefit consultants and other advisers.

In addition, the GDPR will require agreements between trustees and these parties to cover various data protection issues. Data controllers (such as trustees) are not relieved of their obligations under the GDPR even if they have delegated to a third-party data processor.

3. Mandatory breach notification to regulators and members. Under the GDPR, breaches of the data protection requirements must be reported to the national supervisory bodies (i.e. the Information Commissioner's Office in the U.K.) within 72 hours. If breaches are likely to result in a high risk to the rights and freedoms of data subjects (i.e., pension scheme members, employees etc.), the breach has to be communicated directly to the affected persons without undue delay.

4. More severe sanctions for noncompliance. The GDPR imposes significantly greater fines for non-compliance, up to the greater value of €20 million and 4 percent of global annual turnover for the majority of data processing that is relevant for the pensions industry.

Jason Coates is an attorney with Gowling WLG in London. ©2017 Gowling WLG. All rights reserved. Reposted with permission of Lexology.


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect