Football may not be coming home, but data protection certainly is!

There are many issues stemming from the General Data Protection Regulation (“GDPR”) which will impact on pension plans. We would like to share a few thoughts on just one of these.

For the first time, data processors will be directly liable for breaches of the GDPR, and the figures, quite frankly, are scary. Breaches can carry a maximum fine of €20m (or 4% of global turnover), whichever is the higher. Ouch!

For pension trustees, as data controllers, this must surely be good news as some of the responsibilities for compliance are shared. However, housekeeping issues must first be addressed, and this could be a little painful. More extensive obligations will have to be included in data processing agreements.

How are data processors likely to react to increased risks that they face?

One distinct possibility is that data processors will seek indemnities from trustees. The increased work associated with compliance may also push up data processing costs. For example, data processors will be required to keep full records of exactly what personal data is processed, for what purposes, how and by whom, and with whom it is shared, as well as, where feasible, the security measures applied to it and how long it is to be kept. Data processors also risk being sued by individuals or by consumer organisations bringing a “class action”. In addition, the requirement to notify compliance breaches within 72 hours means that data controllers will need a robust data breach response plan – one that builds in the fact that breaches can happen at 11pm on Friday evening or whilst the person normally responsible for compliance is ‘finding himself’ in Outer Mongolia.

If trustees are negotiating new contracts with service providers that will (or might) continue after May 2018, it is important that:

  • the new mandatory provisions under the GDPR are built into the contract,
  • any limitation of liability provisions still offer the maximum protections available to trustees,
  • the contract sets out which party will comply with the new mandatory record keeping requirements about the personal data that is processed.

If these issues are not built into contracts now service providers may resist providing some services or may seek to make additional charges for doing so when this becomes a legal requirement. Trustees should also consider revisions to existing contracts for the same reasons set out above.

As a general principle, trustees should avoid accepting “standard terms” from service providers without seeking legal advice. Don’t throw in the towel too easily – the risks are too high.

Our pensions specific data protection newsletter gives a fuller picture of the actions that trustees, as data controllers, should consider.