May 25, 2023, marked the five-year anniversary of the General Data Protection Regulation (GDPR) coming into force. Post-Brexit, the GDPR was transposed into UK law by way of the European Union (Withdrawal) Act 2018 and the European Union (Withdrawal Agreement) Act 2020.

The impact that this piece of legislation has had across all sectors, including the pensions sector, has been significant.

It has required organisations, including trustees, to prioritise the protection of personal data and to increase transparency, security and responsibility.

In the run up to May 25, 2018, many schemes implemented GDPR compliance projects to ensure the correct notices, policies and procedures were in place to meet the many new requirements imposed by the legislation.

Fast forward five years, there have been significant regulatory developments that impact how the requirements of the GDPR should be implemented. These include guidance and decisions issued by the European Data Protection Board (EDPB), the Information Commissioner's Office (ICO) and EU data protection authorities, along with key case law.

It is therefore of critical importance that trustees' GDPR compliance measures and those of service providers who manage scheme data on the trustee's behalf are up-to-date.

On this five-year anniversary of the legislation, schemes should take the opportunity to ensure that their GDPR compliance activities are in line with these developments. We set out below the latest position on some of the key areas of GDPR compliance.

Privacy notices

What's the latest? What should trustees be thinking about?

Articles 13 and 14 of the GDPR require trustees to provide comprehensive information to members about the processing of their personal data, including: the categories of personal data processed; the purposes of processing; the lawful basis for each purpose of processing; categories of recipients of personal data and information regarding retention, individuals' rights and international transfers of personal data.

This is usually presented by way of a privacy notice.

Trustees need to be aware of recent enforcement decisions regarding privacy notices e.g. the Irish Data Protection Commissioner's findings in respect of WhatsApp's privacy notice1 and the Information Commissioner Office's monetary penalty notice against TikTok2.

In summary, the regulators expect privacy notices to provide information in a lot more detail and granularity. For example:

  • There needs to be a link between the categories of personal data processed and the processing activity performed on them. Each processing activity should be ascribed a lawful basis and trustees should avoid ascribing multiple lawful bases per processing activity. In practice, a tabular format may be more suitable in presenting this information in this more granular manner.
  • If legitimate interests are being used as a lawful basis, the specific legitimate interests should be set out. If legal obligations are being used as the lawful basis, the specific law/regulation should be cited.
  • Categories of recipients should be as specific as possible and additional information should be provided about retention periods, including the criteria to determine these.
  • Further detail about international transfers should be provided, including the specific transfer mechanism relied on. There is also an expectation that countries to which personal data is transferred are listed.

Trustees should therefore consider whether their privacy notices need to be updated to take into account these requirements.

In addition to the above, trustees should also consider whether the purposes of processing set out in these notices remain accurate and comprehensive. We are, for example, seeing a number of trustees interested in undertaking (or instructing service providers to undertake) more detailed analysis on personal data, including by using AI technologies or sharing with third parties to facilitate bank transfers or insurance solutions.

These use cases may not have been contemplated in 2018 and may need to be added to privacy notices. Similarly, they will need to be added to records of processing activities (ROPAs), which all data controllers (including trustees) are required to maintain and update under Article 30 of the GDPR.

Finally, privacy notices need to be "accessible". This is particularly important in the pensions sector as a number of members may be vulnerable or may not possess the appropriate technical expertise or equipment to access online notices. Consider therefore the provision of updated notices as part of hard-copy newsletters that are provided to members.


Data sharing and international transfers

What's the latest? What should trustees be thinking about?

Trustees share member personal data with a number of third parties, including administrators, actuaries, consultants, advisors and service providers.

A number of these third parties, including administrators, act as "processors", and process member personal data on behalf of the trustees and in accordance with these instructions.

Under Article 28 of the GDPR, data sharing arrangements between trustees and their processors must be governed by a contract that include certain mandatory processor provisions. These include requirements on the processor to: maintain appropriate security; assist with responding to data subjects' rights; inform the trustee of a personal data breach; only engage sub-processors with the trustees' consent; and to allow for and contribute to audits.

Other third parties may act as controllers. Whilst the GDPR does not require mandatory data sharing provisions to apply between two controllers, guidance from the ICO3 is clear that it nonetheless expects suitable data sharing arrangements to be in place.

With respect to international transfers of personal data, trustees should remember that transfers (including onward transfers e.g., by administrators) of personal data from the UK to a country not considered as providing adequate safeguards4 is not permitted unless the transfer is governed by a data transfer mechanism.

The most commonly used mechanism is the EU-commission approved standard contractual clauses (SCCs). On June 4, 2021, the EU-commission issued an updated and modernised version of the SCCs5, replacing the previous SCCs. On March 21, 2022, the ICO's UK addendum to the SCCs, and the ICO's international data transfer agreement and came into force6.

Trustees should therefore review their arrangements with both processors and controllers to ensure that these contracts contain appropriate provisions (including all mandatory provisions) and that any commercially negotiated positions, including liability, continue to remain appropriate. This is particularly the case if the nature/scope/purpose of the data sharing has evolved over the years. Trustees should also ensure that provisions governing international transfers of personal data outside of the UK are now covered by the updated SCCs (as supplemented by the UK addendum), or the ICO's international data transfer agreement. Further information around key developments in this area, including the requirement to undertake transfer impact assessments, can be found in our 2020 publication on the Schrems II ruling.


Security and breach response

What's the latest? What should trustees be thinking about?
Trustees must ensure that the personal data for which they are a controller is protected by way of appropriate security measures, including technical, physical, and organisational measures. Trustees must therefore have oversight of their systems and processes, and those of their processors (in particular, their administrators who hold and process significant amounts of member data).

Consider undertaking an audit or review of the security measures and controls applied to member personal data to determine whether current measures remain up-to-date in light of new technology and new potential threats, particularly given the increase in cyber-attacks such as sophisticated phishing and ransomware. Trustees should consider engaging information security advisors or consultants to assist with this.

Make sure processes are in place to detect and respond to personal data breaches quickly, especially given the tight timelines under the GDPR to notify the ICO if reporting thresholds are met (i.e., within seventy-two hours of becoming aware). As controllers, the notification responsibilities fall on the trustees so trustees will need to have procedures in place to obtain information and assistance from administrators and oversee their response.

To ensure that key stakeholders involved are aware of their responsibilities and required actions, trustees should consider reviewing and updating their breach response processes and undertaking "trial runs" of personal data breach scenarios with their administrators.


Data subjects rights

What's the latest? What should trustees be thinking about?

Data subjects have numerous rights under the GDPR, including the right to access personal data processed about them (data subject access request or DSAR), the right to have personal data erased, rectified, and to have their data provided to another controller in a structured, commonly used and machine readable format. These are subject to certain exemptions.

Responding to such requests, particularly DSARs, can be very time-consuming and difficult if systems are not set up in a manner where it is easy to retrieve and isolate personal data concerning a specific individual.

In practice, a number of these rights are responded to by administrators on behalf of trustees. As controllers however, the compliance responsibility falls on the trustees.

Consider reviewing trustee systems and the systems of their administrators to ensure that these are structured in a way to facilitate responding to such requests. Trustees will also need to ensure that they have measures in place to ensure sufficient oversight as to how these requests are being responded to.


Policies and training

What's the latest? What should trustees be thinking about?
Accountability is a key requirement under the GDPR – trustees should be able to demonstrate compliance with the obligations of the GDPR. Internal data handling policies and training will assist with this. Consider reviewing all training and data protection policy material to ensure that these are up-to-date, easily accessible and available to all individuals in the organisation as required.


Comment

It's important to remember that whilst on a day-to-day basis, trustees may not themselves be handling significant personal data, they remain "controllers" of the personal data of members of the applicable scheme i.e. the trustees exercise overall control of the purpose and means of the processing of personal data.

As controllers, trustees have the highest level of compliance responsibility under the GDPR and generally remain responsible and liable for the processing of member personal data.

Footnotes

1. https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-whatsapp-inquiry

2. https://ico.org.uk/action-weve-taken/enforcement/tiktok/

3. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/data-sharing-a-code-of-practice/data-sharing-covered-by-the-code/

4. A list of countries considered adequate by the UK can be found here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/#Q1

5. https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

6. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.