The European Union General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Before that date, trustees of UK occupational pension plans will need to undertake some preparatory work, including:
-
Creating records of all personal data processing activities (or confirming delegation to plan administrators and obtaining confirmation that they will do this) and ensuring administration agreements reflect who is doing what,
-
Reviewing and amending agreements with other third parties,
-
If data is transferred outside of the EEA, putting in place international data transfer mechanisms,
-
Reviewing data security measures (see below),
-
Putting in place procedures for new individual rights,
-
Reviewing and amending privacy notices,
-
Assessing whether there is any ‘high risk’ use of personal data and
-
Formally adopting and rolling out new policies and procedures.
There are some obvious and less obvious pitfalls to consider here. For example, if a trustee is on holiday outside of the EEA and picks up emails containing personal data whilst away, that will constitute transferring data outside of the EEA.
The recent global cyber attack has thrown into sharp focus the need for trustees to ensure the robustness of cyber security measures put in place by their data processors. As Investment & Pensions Europe report, there has also been a recent instance of a Belgian pension fund being subject to a cyber attack – Ogeo hack.
Where trustees access emails and documents containing personal data through their own home computers and/or personal mobile devices, there are some key issues about how this is managed:
-
Do all trustees use up to date malware protection?
-
Do the trustees have rules around the encryption of personal data?
-
Do the trustees have a formal policy covering cyber security risks or do they document a policy in a business continuity plan or risk register?
-
Is there a nominated trustee, who is specifically responsible for cyber security?
-
Has the trustee board had any training on cyber security in the past 12 months?
-
Do service level agreements require the trustees’ providers to adhere to specific cyber security standards?
-
Do the trustees have a cyber security incident plan in place?
-
Do the trustees have insurance in place that would cover a cyber security breach or attack?
-
Do the trustees use a segregated wireless network with firewalls?