Stringent new rules for the management of data are on the way with implications for LGPS. Kirsty Bartlett explains the key stages for achieving compliance.
On 25 May 2018 the General Data Protection Regulations (GDPR) will come into force across the European Union. This represents a significant challenge to LGPS administering authorities: there is a lot to do from a pension perspective to demonstrate compliance with the new laws.
The underlying concepts of GDPR will be familiar from existing UK legislation (the Data Protection Act 1998), but some of the detailed requirements are tougher and the process for demonstrating compliance will change. The risks of getting it wrong are significantly greater – the maximum fine will increase from £500,000 to €20m (or 4% of global turnover if higher, although it’s not clear how this would apply to an administering authority).
Stage 1: Data mapping
Administering authorities are data controllers of the information they collect in order to pay pension benefits. Under GDPR data controllers must on request provide the Information Commissioner’s Office (ICO) with a written record of personal data they hold, the legal basis for doing so, how it is processed and safeguarded and how long it is held for.
This data map must cover administering authorities and any data processors. In practice, it is recommended that any other data controllers with whom administering authorities share personal data (e.g. scheme employers) are included in the data mapping process: the reputational risk of a data breach concerning LGPS data will inevitably spread to administering authorities even if they are not at fault.
Data mapping is the gateway to GDPR compliance: the remaining stages all flow from understanding how personal data is currently processed. It is a complex process that will inevitably require input from a number of third parties; administering authorities need to contact any third party administrator, their actuary, auditor, legal adviser, occupational health provider, AVC providers, etc. It is not uncommon for funds to involve a dozen, or more, data processors in their data map. And that’s before considering several hundred participating employers.
The key message is to start your data mapping now if it is not already underway. Asking data processors to complete a standard questionnaire can help to manage the process more efficiently and provide responses in a common format to ease analysis and further due diligence. Your legal adviser should be able to assist.
Stage 2: Updating processes
Once the data map is complete, administering authorities should consider if their current processes are adequate. GDPR is an opportunity to keep pace with best practice not just a form-filling exercise. Risk registers and policies should be reviewed and updated where necessary.
As a minimum, administering authorities should have a breach response plan to enable them to report serious breaches of GDPR to the ICO within the maximum 72 hour period; they should also have a process to comply with the new shorter timescales for dealing with subject access requests.
Public authorities are required to appoint a data protection officer and administering authorities are likely to have a wider GDPR compliance plan that will need to involve those responsible for LGPS funds. However, having a data protection champion within the LGPS team could be a useful practical step. The personal data held for LGPS fund purposes is necessarily a high risk area for administering authorities: it is exactly the type of data attractive to fraudsters and it is necessarily held for an extremely long time.
Stage 3: Reviewing contracts
All contracts with third party data processors will need to be reviewed and updated before May 2018. The requirements for contracts to comply with GDPR are more stringent than under current UK law and data processors will have direct legal obligations and liabilities. Some data processors may look to pass all, or some, of those liabilities back to data controllers under their contracts.
At least one large consultancy has already written to all clients looking to impose a standard GDPR contract amendment by notice: those who don’t object will be deemed to have accepted the new wording. Administering authorities will need to review any wording put to them, or require data processors to accept the fund’s own standard contract amendments.
Stage 4: Communications with members
All LGPS fund members should be issued with an updated privacy notice before May 2018, informing them what personal data is held, how it is processed and how long it will be held for. GDPR is more prescriptive, so current notices are unlikely to comply. GDPR also requires privacy notices to be easy to understand, which represents a real challenge given the mandatory content.
The good news is that administering authorities will not need to seek individual member consent to collect and process personal data for their LGPS funds. Obtaining consent under GDPR is a more difficult process and it must be capable of being withdrawn at any time. Instead, administering authorities can rely on their legal obligation to comply with the LGPS Regulations as the basis for which they collect and process personal data.
Some circumstances will require special consideration. Personal data relating to health or sexual orientation come with a higher standard of protection, so communications dealing with ill health pensions and survivor benefits need to be revisited. Administering authorities may decide it is impractical to issue a privacy notice to every potential dependant included on an expression of wish form, but they could tell members to inform their nominees that personal data has been provided to the LGPS fund.
GDPR is unlikely to change fundamentally how administering authorities process personal data, but there is a lot of legwork needed between now and May 2018 to demonstrate compliance. Brexit is no silver bullet: the Data Protection Bill currently going through Parliament will enshrine GDPR into UK law. Authorities needing additional resource can contact the LGPS Frameworks to engage an appropriate third party adviser.
The world will not stop turning on 25 May 2018 but, if you do have a data breach, the ICO will be more sympathetic if administering authorities have taken significant steps towards GDPR compliance before then.
Kirsty Bartlett is a partner
at Squire Patton Boggs (UK) LLP.
