On 24 May 2016 a new General Data Protection Regulation (GDPR) was adopted by the European Union – this is a radical reform which will have a material impact on the operation of pension plans. The GDPR will be directly applicable in all EEA countries (so no implementing legislation is required from the UK Government) and will replace the Data Protection Act 1998 (DPA) from 25 May 2018.
Given that the GDPR comes into force on 25 May 2018, and it is anticipated that Brexit will not occur until two years after the date the Government serves a notice on the EU of its intention to leave, the GDPR will come into force in the UK and will govern for an interim period. This means that pension plans must, for now, continue to comply with the DPA, and should also prepare for the stricter data privacy regime to be introduced by the GDPR. The question of enforcement by the UK Information Commissioner (ICO) remains an open question once the GDPR is in force and before Brexit occurs, but the ICO has stated that it has always worked closely with regulators in other countries, and that would continue to be the case during this period of flux, and beyond.
The position after Brexit will depend on the terms of Britain’s access to the EU market. If the UK adopts the Norwegian model, it will have to agree to comply with the GDPR in full, but even if the UK opts for a less rigid relationship with the EU, in order to protect the flow of personal data between the UK and Europe, it is more than likely that the UK will need to align its data protection laws with the GDPR. The ICO has already stated that it will be making this case to the Government.
In the unlikely event that the UK does not adopt provisions broadly equivalent to the GDPR, it is inconceivable that the UK Government would repeal the DPA as, without that, the UK would have no chance of being treated as a country approved by the European Commission for data transfer purposes (and even with that, it may not be enough). Many pensions trustees do not comply fully with current data protection law, particularly as regards the appointment of service providers, the giving of privacy notices, and transfers by their service providers or them allowing access to personal data from outside the EEA. The ICO, which is already becoming more willing to exercise its powers to fine, is likely to become more assertive, so as to seek to demonstrate to its European counterparts that data protection is still treated seriously in the UK. Also, a number of the changes that will be mandatory under the GDPR, like the additional clauses that must be included in processor agreements, are ones that are highly beneficial for trustees, so there are significant benefits in trustees starting to address them now.