How GDPR Will Effect the Pensions Industry

The introduction of the General Data Protection Regulation (GDPR) in May 2018 represents the most significant change to how businesses handle data in over 20 years. The legislation places considerably more obligations on data-controllers, coupled with much stricter enforcement and penalty systems. 

The pensions industry processes vast volumes of personal data – from names and addresses, to financial details, to physical and mental health information. So, understanding the impact of GDPR, and how to satisfactorily implement its requirements is hugely important for the industry.

Here are 5 ways the pensions industry is responding to GDPR:

  1. Creating written records of what data is held where

Data handlers in the pensions industry are mapping out exactly what personal data they collect, the ways in which it’s obtained, the purposes for which it’s held, and the parties with whom it’s shared. Crucially, they’re creating a written record of having carried out this exercise. This then forms the basis of a review into what data processing activity may need to be modified to comply with GDPR. The pension industry can only gather personal data on the basis of defined ‘processing grounds’. In some cases, changes will have to be made to continue under GDPR, particularly where pension schemes are relying upon the ‘consent’ and ‘legitimate interests’ grounds.

  1. Updating data protection policies and procedures

Depending on the nature of those changes needed to comply with GDPR requirements, the pensions scheme’s data protection policy may need to be updated accordingly. In some cases, pension providers are redrafting these in full. For others, who don’t have a data protection policy, they’re putting one in place for the first time. In each case, this updated data privacy notice is being sent to members, with key information including:

  • Identifying who exactly are the data controllers of individuals’ personal data
  • the grounds on which the pension scheme collects and processes personal data, the type of data collected, and how long it will be held for
  • the details of any third parties that personal data may be shared with
  • individuals’ rights regarding their own personal data
  • details on other issues such as how a complaint about data handling can be made, and how international transfers of data will be managed
  1. Implementing processes to guard against data breaches

GDPR requires that “adequate steps to protect data from breach” are taken. Gone are the days of non-electronic, unaccounted-for personal data languishing in cardboard boxes in a garage. Businesses across the pensions industry are now putting processes in place to not only better safeguard data, but also to ensure that any data breach that does occur is dealt with in accordance with the new obligation to notify the Information Commissioner within 72 hours.

  1. Accommodating pension members’ new rights

The pension industry is also getting clued-up on the new rights that members will have under GDPR. The right to be provided with access to one’s own personal data and the right to have one’s personal data erased, all demand pension schemes to have a process for responding to an exercise of any of these rights.

  1. Reviewing how data is transferred

Finally, compliance with GDPR is making the pensions industry pay much closer attention to transfers of personal data outside of the European Economic Area. Such transfers out of the EEA are now subject to much stricter requirements.

As the pensions industry adjusts to life under GDPR, it remains to be seen how many of the countless ‘grey-areas’ of the legislation will play out in this sector. Pension schemes, by their very nature, need to retain members’ data for decades on end. Will this begin to cause issues? Will the fine system be applied as stringently to the pensions industry as to the big tech players? Only time will tell.

If you’ve any queries, contact a member of the gpfm team today.

This article is for information only and must not be considered as financial advice. We always recommend that you seek independent financial advice before making any financial decisions.