The General Data Protection Regulation ('GDPR') takes effect from 25 May 2018 and was introduced to further harmonise and modernise data protection procedures.
While many of the concepts, obligations and ideas of the existing data protection regime under the Data Protection Act 1998, ('DPA 98') which the GDPR will replace remain the same or similar, there are some significant changes.
The topic of data protection generally is a vast one and the purpose of this briefing note is to provide a summarised overview of the key changes to the existing regime.
What is new or different?
Enforcement - The fines that may be imposed for breaches of the GDPR have been significantly increased depending upon the type of breach, a fine of up to 4% of annual worldwide turnover for the preceding financial year or 20m (EUR) (whichever is the greater). The percentage fine is linked to an 'undertaking' which is phrased around corporate groups. It currently remains a grey area where an Occupational Pension Scheme fits into the undertaking concept and whether the sponsoring employer's group turnover would be factored into any fine relating to such a scheme.
Consent - This concept has been restated and revised so that there is now a requirement for demonstrable consent by the individual. Consent in this context means clear affirmative action, and the consent should be informed, specific, unambiguous and given freely. Consent given, for example, in a contract will only be valid for the specific purposes required by the contract. Consent is required for each processing purpose, and explicit consent is still required for sensitive personal data. Individuals have the right to withdraw their consent at any time.
Where pension scheme data is held and processed by and/or for trustees, currently it is likely that only implied consent has been given. Trustees will need to consider the basis on which they have consent and take steps to ensure that data subjects' consent satisfies the stricter new requirements.
The focus on the need for clear unambiguous and granular consent means it is not an easy route to satisfying the requirement for processing to be lawful and trustees in particular should consider relying on one of the other lawful reasons for processing data, the legitimate interest reason or the statutory compliance reason for auto enrolment purposes. Processing is necessary for the purposes of the legitimate interests of the data controller or the third party to whom the data is disclosed (this must be balanced against the individual's legitimate interests while it is also necessary for compliance with a legal obligation to which the data controller is subject).
Accountability, Compliance and Governance - One of the key changes is the enhanced focus on accountability and governance which will require increased awareness of the GDPR requirements. It will be important to understand the impact of the changes and identify the areas of difficulty in compliance.
An assessment of the risks of noncompliance includes provisions that promote accountability (monitoring and review) and governance. Data controllers should review what personal data they hold and any parties they share it with. Part of the overall governance focus is covered by the concept of Privacy by Design. This means appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities. Existing compliance programmes should be reviewed and adapted if necessary.
There is also a legal requirement to carry out data protection impact assessments (DPIAs) if there are proposed activities likely to result in a high risk to the rights and freedoms of individuals. What 'high risk' means is not further expanded so it may be difficult to be sure where the line lies. DPIAs will consist of a range of questions on the activity including its objectives and outcomes as well as the scale of the data being processed, whether new data is needed, what protections to privacy are being used and who might be effected and how if that protection fails. Detailed records of data processing must be kept and this will include DPIAs.
Enhanced rights of individuals - The rights of individuals as data subjects are strengthened and some new ones have been introduced:
- Right to be informed - an obligation to provide 'fair processing information' through a privacy notice. There must be transparency on how the information will be used and there is an emphasis on clear, concise notices. The list of information to be provided has been expanded by the GDPR. The time at which it should be made available will depend on when the data is collected.
- Right of access - individuals must be able to access their data to verify the lawfulness of the processing. They will do this through subject access requests. The key change here is the shortening of the time by which a response is required to one month from 40 days. The right to charge for a response has been removed except in exceptional circumstances.
- Right of erasure or rectification - in the event of inaccurate or incomplete data. This is expanded to cover more circumstances than before.
- Right to data portability - individuals may reuse and transfer their personal data for their personal use to another controller without restriction as to usability. This is a new right reflecting the changing technology landscape.
- Right to object - processing of data is subject to consent and individuals can object to certain types of processing such as direct marketing or processing for research or statistical purposes. Subjects must be given explicit notice of their right to object from the outset.
Data Breach notification - A data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The GDPR introduces a requirement to notify the relevant supervisory authority of any data breach that is likely to result in a risk to the rights and freedoms of the individual affected. Failure to notify a breach is a breach of the GDPR itself. Where a breach occurs, it must be reported to the relevant supervisory authority without undue delay and within 72 hours of awareness, unless it is unlikely to result in a risk to the individuals. Any delay will need to be justified. Where there is a high risk the notification must be made to the individual as well. In this context 'high risk' for example would mean leaving the data subject open to discrimination, fraud or financial loss. The GDPR sets out the necessary information to be included in a report, including the nature, category and approximate numbers of individuals and personal data records concerned.
A robust breach detection process ought to be in place and where working with data processors or joint controllers evidence of their detection and breach management processes should be confirmed, demonstrated and records retained. It may be necessary to agree one shared process in that case or changes to each party's processes to allow them to link up and work together.
Territorial Scope - The GDPR extends to the processing of personal data of data subjects in the EU by a controller or a processor who is not established or located in the EU if they offer goods or services to data subjects in the EU or if they monitor the behaviour of data subjects where that behaviour takes place in the EU. Many non-EU businesses not previously covered by the DPA 1998 will now be covered by the GDPR and may need to consider the possibility of having representation or offices inside of the EU to manage their data protection obligations.
PREPARING FOR GDPR 2018
For Occupational Pension Scheme trustees the following areas are where their efforts should initially be focused.
- Trustees should carry out an audit of the data that they hold, a data questionnaire is a useful tool. The aim is to map the data and identify current compliance, the role of the trustees and other parties in processing the scheme data so that risk areas can be identified and processes agreed and put in place with the assistance of advisers to ensure demonstrable GDPR compliance.
Confirm the lawful basis for your processing
- Is the basis consent? If so are existing consent forms still fit for purposes or is a full review to meet the upgraded requirement of express, unambiguous and granular consent required. Agreement with the sponsoring employer on what form the consent will take may be required. Alternatively is reliance going to be placed on one of the other acceptable lawful reasons for processing? The basis to apply should be recorded and communicated to the data subjects concerned. See below Information Requirements.
Communicating Privacy Information
- Review the information currently provided (this may be covered by a third party - the data audit will confirm). Ensure it is updated to GDPR levels including covering the basis on which you lawfully process as well as confirmation of the right of the data subject to complain to the Information Commissioners Office and for how long the data will be held. Tools such a Privacy/fair processing notices can be utilised.
Data Subject Rights
- How are the rights of data subjects currently being met and what changes to processes are needed? Particular focus should be on subject access requests (SARs) and how these are met, processes and responsibilities should be clarified and updated and the changed deadlines reflected. Utilise privacy by design by using such features as encryption, anonymisation and pseudonymisation. Liaise with third parties to ensure a joined up approach and clarity on responsibilities.
- The same actions should be taken in relation to breach notifications and it may be relevant to establish a specific group to deal with breaches and/or SARs. All processes should be recorded and current governance tools such as business plans and risk registers can be used.
- Mitigate the breach risk by upgrading security features where necessary.
- Consider trustee meetings and how data is prepared and shared in that context and, particularly where individual trustees are involved, what the retention and destruction policy of such information is. Agree such policies where none exist or are deemed not adequate for GDPR compliance.
Third Party Contracts
- Where data is held or processed by third parties, trustees must review any contracts that are in place to ensure sufficient protection is provided. As contracts will have been drafted without the increased GDPR requirements in mind, it is likely that enhancements will be needed to ensure compliance. However, as data processors can be held directly liable for non-compliance under the GDPR, there should be an appetite for ensuring procedures, contracts and agreements are compliant. Contracts will also need to allow for the provision of data to comply with the tighter subject access request timeframes.
- Engage with third parties to review contracts and update them, and also to understand their GDPR compliance route. Obtain confirmation of their security features including a cybersecurity statement where available.
Whilst there were no surprises under the GDPR it does require a re-think as to how data protection obligations are met and evidenced. Occupational Pension Scheme trustees by and large will be able to rely on and work with their Sponsoring Employer who may be addressing many of these issues as part of their business operations. Wherever possible it is recommended that the parties work together to minimise repetition and to ensure that the data protection offering of both the business and the Pension Scheme are aligned and symbiotic. As an example, there is a requirement for Data Protection Officers where an organisation's core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Accordingly, many Sponsoring Employers may have a Data Protection Officer or may have an appointed employee dealing with data protection matters. It is unlikely that an Occupational Pension Scheme would require a Data Protection Officer but clearly if the Sponsoring Employer has that resource it would be sensible for the trustees to use it.
Many of an organisation's existing processes could be fit for purpose, so much of the work may be adapting rather than introducing new processes.
The UK's Data Protection Bill was announced in the Queens Speech earlier this year and UK legislation is expected in September 2017. Without the introduction of UK legislation the GDPR will apply in any event from May next year but on exit, from the EU there could be confusion as to the ongoing requirement in relation to data protection. UK legislation will address this and given the Government's statement that it is the intention that the UK 'retains its world class regime protecting personal data', it will do what the GDPR does by incorporating the GDPR into national UK law so that after Brexit the same data protection regime will apply to the UK as applies to the rest of the EU.
Through whatever format the obligations apply it is clear that there will be an impact on most organisations and Occupational Pension Schemes, and for trustees the key focus should be to ensure a proportionate, effective and evidenced response that ensures the security and privacy of the data that they control.
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.