PLSA publishes pension scheme data protection guide

The Pensions and Lifetime Savings Association (PLSA) has published a guide to help schemes meet tough new EU data protection regulations ahead of next May’s strict compliance deadline.

The EU’s General Data Protection Regulation (GDPR) regulations take effect from 25 May 2018, with no phasing in period, and with huge potential fines of up to €20 million, or 4 per cent of global annual group turnover if greater, in the event of a breach.

The new Made Simple Guide is published in partnership with Herbert Smith Freehills.

GDPR will completely change the landscape within which substantial processors of data such as pension schemes operate.

The guide includes:

  • A glossary of data terms essential to understanding the new regulations;
  • A suggested timeline for GDPR readiness;
  • A comprehensive list of steps for trustees to take including key considerations, explanations of the regulatory requirements, and suggested means of implementing them:
    • Map your data flows and identify associated risks
    • Determine on what grounds you will be processing data
    • Appoint a Data Protection Officer (or justify not appointing one)
    • Reassess how you engage with your membership
    • Update policies and procedures
    • Review and renegotiate third party agreements

PLSA deputy director for defined contribution Nigel Peaple says: “The GDPR will have a substantial impact on our members and on other organisations within the financial sector.  As a result of GDPR pension schemes can no longer take a reactive approach to data compliance, as was possible under the Data Protection Act 1998. Schemes will be required to design and implement systems on a proactive basis, to ensure that any processing activities are compliant and are backed up by good record-keeping.

“As every action that a pension scheme undertakes involves the processing of data this is sure to be a mammoth task. GDPR’s reforms, as supplemented by the provisions of the Data Protection Bill 2017, will impact every DB and DC scheme in the UK.”

Herbert Smith Freehills global head of employment, pensions and incentives Alison Brown says: “Our key message to schemes and their trustees is to be thorough, keep an eye on developments – there is a lot still to come – and, given the number of workstreams and necessary involvement of third parties, to make a start as soon as possible. We hope this guide helps schemes either begin to make necessary preparation for GDPR, or to plan next steps.”