The GDPR / Pensions relationship
Lisa Lyon explores how the upcoming GDPR requirements will affect pension scheme management.
In May 2018 GDPR replaced current data protection laws. The scope and detail of these new regulations will not only change what information tracing companies can use when offering a compliant service to their clients, they will substantially affect how pension companies maintain and manage member data.
Consider the following GDPR requirements:
- You will have to demonstrate that you maintain accurate member data, and that every reasonable step has been taken to rectify inaccuracies and correct data omissions without delay.
- You will need to demonstrate compliance with the new ‘accountability principle’ and the GDPR states explicitly that this is your responsibility. You will be requested to demonstrate how you keep your data accurate and up to date.
- Your organisation will be required to document all personal data held, where that data originated and who you share it with. If you have retained inaccurate personal data and shared this with another organisation, GDPR compliance will demand that you inform the other organisation about the inaccuracies, enabling them to make the appropriate corrections. These requirements will be unattainable without appropriate record keeping and a programme to check data accuracy.
- You will be obligated to report all data breaches that your organisation incurs. This includes any breach of security that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In some cases, you will be required to report directly to the individuals affected.
GDPR compliance demands far more than adhering to the four aspects mentioned, but the necessity to achieve and maintain accurate member data is reinforced by them. While this is a familiar message, it is now being voiced with much more gravity by both The Pensions Regulator and the Financial Conduct Authority. In 2018
trustees of both DB and DC schemes will need to report on the presence and accuracy of their data in scheme returns. Additionally, we will see a new IORP II regulation in January 2019, which will require all deferred members to be sent annual benefit statements.
In simple terms, if your data is not accurate and up to date, you risk sending sensitive data to an out of date address. This could open the doors to potential data breaches or even fraud.
All of this intensifies the urgency to ensure that the personal member data you hold is accurate and up to date, but there are additional considerations. GDPR also places constraints on how this can be done. Tracing companies and data specialists use specific data sources to locate your members; some of these sources are categorised as ‘consented data’ or, in other words, the person that the data is relevant to has given consent for that data to be used.
However, the GDPR will change the way data is consented and held. From May 2018 data categorised as ‘consented’ for processing will require a specific and positive ‘opt in’ from the individual to enable the data to be used. Any data without this ‘opt in’ will not be permitted for use and will require deletion. Many data sets currently used in people tracing and address verification will be negatively impacted by this legislation and will need to be discontinued.
Therefore, if you are conducting accuracy checks regarding the personal and address details of your members for the first time, or renewing such an exercise; ask the following questions of the tracing company you employ:
- What specific data sets will you utilise in locating my scheme members?
- Is the data you use sourced from a Credit Reference Agency?
- Is that CRA security certified and externally tested for vulnerability?
- Is your tracing company security certified and externally tested for vulnerability?
- Will the data you use be ‘consented data’?
- Has it been consented in line with forthcoming GDPR legislation?
This intensified legislation does not need to be prohibitive to the administration of your schemes.
Some pension organisations have already made pre-emptive changes to meet GDPR compliance and this has not restricted them from achieving the
accuracy that regulations require.
It does not need to prevent you from doing so either.