Why pension schemes need to know about new data protection rules

There are new rules on data protection coming into force from May 2018 which affect all organisations that hold personal data – including pension schemes.

As they are EU regulations they won’t need to be transposed into UK law in order to take effect. The government has, however, announced its intention to pass a new Data Protection Act to enact the necessary reforms.

If you cast your mind back to 1998 (when the most recent Data Protection act was passed) the world was completely different. Skype, Facebook, Twitter, smartphones, broadband, cloud storage and the selfie were all yet to come into being. All of these innovations have provided great benefits, but at the same time have led to a huge increase in the amount of personal data held by private companies.

Whenever a large amount of data is stored there is the potential for things to go wrong – just last month, telecoms giant TalkTalk received a £100,000 fine from the Information Commissioner’s Office (ICO) for a breach of security that left tens of thousands of customers’ personal data at risk. As the amount of data produced and stored increases exponentially, we have to revamp the data laws for the world in which we find ourselves.

The General Data Protection Regulation (GDPR) is essentially about bringing data protection into the digital age. It strengthens the existing principles of the 1998 Act and gives consumers some additional rights. The most high profile of these is the right to erasure (publicised as the right to be forgotten) but it is by no means the only way in which consumer rights are strengthening. Stricter timelines on responding to access requests and the right to data portability are other ways in which the regulation strengthens the consumers’ hand. Data controllers will also have to seriously consider whether they need to have a Data Protection Officer to co-ordinate these responsibilities.

Alongside these new rights and responsibilities there is also a much more severe enforcement regime. The ICO will have the ability to fine companies up to £17 million or 4% of global turnover, a dramatic increase from the previous limit of £500,000.

At the Pensions and Lifetime Savings Association (PLSA), we’ve produced a Made Simple guide, in partnership with Herbert Smith Freehills, to help schemes understand the new rules. Pension schemes, by their very nature, will always accumulate large amounts of personal data, which is why it’s essential for them to start early and plan their road to compliance.

Matthew Burrell
By Matthew Burrell
Senior Policy Adviser (DC), Pensions and Lifetime Savings Association