UK Prime Minister, Theresa May, has indicated that the Article 50 exit negotiation will be triggered by the end of March 2017. Absent the unanimous agreement of all other 27 EU member states, the UK will automatically cease to be in the EU and subject to its rules and regulations two years after the notice is given. In the meantime, the EU’s new General Data Protection Regulation (GDPR) will come into force across the EU on 25 May 2018 and will be “directly applicable” i.e. be law in UK without the need for domestic legislation. Thereafter, the UK is likely to remain substantially aligned with the GDPR (subject to the terms of any Brexit deal).
The focus of this article is on how the significantly enhanced potential for GDPR based fines could play out in a UK pensions context. Remember that under GDPR, the Information Commissioner’s Office (ICO) will be able to levy fines of up to €20 million or 4% of global turnover if greater. This dwarfs the current maximum fine available of just £500,000.
Assume a UK “pension plan” is fined by the ICO. It would actually be the trustees of the plan who would be fined as the trustees are the data controllers for data protection law purposes. This is true both now and under the GDPR. The question then is how the fine gets paid. Pensions law prohibits trustees being reimbursed out of plan assets for financial penalties imposed following conviction for an offence and for payment of fines payable under pensions legislation. As ICO data protection fines do not follow conviction for an offence and are not made under pensions legislation, it seems there is no statutory bar to fines being paid from plan assets. But that is not to say that making a payment from the plan will be problem free. Among other things, the payment may put a strain on plan cashflow and funding, will be subject to audit review, may need to be reported to members and could attract the attention of HMRC as a potentially unauthorised payment.
But trustees must also consider the terms of their plan’s governing rules. Many scheme rules reflect the statutory position above but others are more generic meaning that the trustees could be unable to use scheme assets and would instead have to rely on an indemnity from the plan’s sponsor group. In the face of a potentially significant cash call following a fine, some sponsors may examine the terms of the indemnity. Such indemnities often contain exclusions for “knowingly” (or similar words) doing or omitting to do something so trustees who have ignored or deferred data protection compliance could find the indemnity doesn’t work. Which leaves trustees either personally exposed or relying on any available insurance policy. This is perhaps another good reason for traditional unincorporated trustee boards to incorporate.
Which leads us on to another GDPR related complication. Most (but not all) trustee companies have been incorporated as a £100 shell subsidiary within the plan’s sponsor group. Any fine therefore is likely to make the trustee company insolvent which would disqualify the trustee company from acting as a trustee and could cause the sponsor group problems, for instance under group finance documents or for the group brand. It could also cause problems for individual trustee directors. So, one might expect the sponsor group to step in to help pay the fine.
But consider this. ICO has freedom to fine by reference to 4% of turnover of an “undertaking”, including its economic group. In very serious cases, where sponsor group turnover exceeds €500 million and ICO felt a €20 million fine was inadequate, ICO could arguably look to fine in excess of €20 million. That level of fine would likely be problematic in many corporate groups, especially as it is probably not “on radar” as a corporate risk. Note that this problem would not arise in relation to a corporate trustee which is not part of the sponsor group, such as a company limited by guarantee.
These issues will be of particular concern to professional trustees, who mainly operate via corporate entities. Any fine would be reputationally damaging. A fine which cannot be paid by the pension plan and is not paid by the sponsor could have significant implications for the business.
All of which points to a pressing need for pension plan trustees to put GDPR readiness on their agenda and devote time and resource to achieving and maintaining compliance.