Sackers has outlined the ten key actions trustees need to take to understand the responsibilities that will be expected of them from 25 May.
Commenting on the importance of the new rules, Sackers partner Claire Carey said: "The GDPR will introduce new contractual obligations, increase the information that needs to be given to individuals, and enhance reporting obligations in the event of a breach - with minister of state for digital, Matt Hancock, saying its aim is to give the UK ‘one of the most robust, yet dynamic sets of data laws in the world'.
"Non-compliance could be met with heavy sanctions of up to £17m or 4% of global turnover, so it's essential that trustees can show they have taken all reasonable measures to get it right."
The ten-point Sackers GDPR checklist is:
- Audit your personal data Under the GDPR, "personal data" is any information (whether opinion or facts) relating to an identified or identifiable living individual. As the ultimate responsibility for member personal data rests with the pension scheme's trustees, they are "data controllers" for this purpose. Trustees therefore need to make sure they know what personal data they hold, why they hold it, who else has access to it, how long it has been held, and whether it is still needed.
- What grounds do you have for processing personal data? For the processing of non-sensitive personal data to be lawful, at least one of six conditions must be met. Trustees therefore need to decide the basis (or legal grounds) on which they process scheme member personal data. Where consent is used as a basis for processing members' personal data (e.g. where sensitive personal data is being processed), the procedures for obtaining consent should be reviewed and updated.
- Update your contracts Trustees will need to have a binding contract in place with any data processor whose services they engage, which will need to address a number of key points, including the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data involved, and the categories of individuals on whom it is held.
- Communicate with members The GDPR will introduce additional requirements affecting the provision of information to members. Trustees will need to issue revised information notices (also known as privacy notices). Where trustees are joint data controllers, for example with the scheme actuary, the trustees may wish to prepare a joint privacy notice
- Do members know their rights? Trustees need to tell members how their personal data is processed and ensure that members are fully aware of their rights in relation to the personal data that is held, such as the right to be forgotten and to have inaccurate personal data corrected. Trustees should ensure that their processes (and those of their advisers) are ready to deal with data requests from members
- Review your policy The trustees' data protection policy will be the main document for recording how they look after personal data in relation to their scheme, reflecting key decisions taken and procedures put in place to meet GDPR requirements. The content and structure will vary, but should aim to cover certain points as a minimum in line with record keeping requirements.
- Do you need a data protection officer? Both data controllers and processors will need to appoint a data protection officer (DPO) in certain circumstances, such as where their core activities involve "regular and systematic monitoring of data subjects on a large scale", or consist of large scale processing of sensitive personal data. Whilst it's unlikely that occupational scheme trustees will need to appoint a DPO, all schemes should assess whether they need one with input from their legal advisers and document their conclusions
- Understand your role Key to GDPR compliance is ensuring you understand what is required under the new rules. Talk to your legal advisers about how they can help.
- Be ready to demonstrate compliance A new principle of accountability requires data controllers to be responsible for, and demonstrate compliance with, the data protection principles. Trustees should become familiar with the steps needed to fulfil their obligations
- How well protected are you? Trustees should check what protections may be available to them in the event of any regulatory fines from the ICO or compensation claims from individuals arising from a data protection breach. As not all trustee insurance policies will cover such claims, it is important trustees check with their legal advisers the extent of any cover.