The General Data Protection Regulation brought about a seismic shift when it was introduced in 2018.

Over the following months, pension trustees took the time to update privacy notices and policies, and ensure their suppliers and advisers were following the new data protection law.

By treating the GDPR as a project and putting it high on their agendas, trustees were able to improve the privacy protections for members.

Two years on, are trustees continuing to give data protection the focus it needs?

Trustees are ultimately responsible for their scheme’s compliance with data protection laws. As the data controllers, it is important that they follow best practice.

Two recent developments mean that it is time to revisit data protection.

Brexit and data protection regulations

The end of the Brexit transition period on 31 December 2020 impacts significantly on trustees who are sharing data with companies in the EU.

Post transition period, there are two data protection regimes which run in parallel – one in the UK and one in the EU. Although these regimes are near-identical for now, they have the potential to diverge over time. Many contracts won’t have been updated to reflect the fact that the UK is not a member of the EU.

Trustees will need to be confident they can continue to share data with companies in the EU. The UK has not yet been added to the EU’s list of “adequate” countries for data transfers (meaning EU companies will not be able to send data to the UK without additional safeguards once a six month ‘bridging’ period ends after June).

The good news is that there is a clear commitment from the EU to add the UK to its list of “adequate countries”. But there are no guarantees, and trustees should future-proof their documents now.

New requirements for international data transfers

In July 2020, the European Court of Justice issued its decision in Schrems II.

This created new data protection compliance challenges, with a new requirement to assess the risks relating to international data transfers.

The decision also invalidated the EU-US Privacy Shield Framework, which is often used where there is a transfer of data to the US.

What happens next?

As a result of these developments, pension trustees will need to review and update contracts with service providers and third parties.

We can help you by reviewing your contracts with service providers to ensure they are up-to-date and in line with the latest changes in the law. We have experience of negotiating on data protection issues with many of the key service providers for pension trustees.

We can also help you by auditing your scheme’s data protection policies, procedures and privacy notices to ensure that these are in line with current best practice.

If you would like to discuss any of the issues raised in this article please get in touch.

Related News, Insights & Events