Many pension schemes and sponsoring employers took note when the EU’s General Data Protection Regulation (GDPR) was published in May 2016. This is a significant new piece of legislation and will require a fair amount of upheaval to get compliant by the effective date of 25 May 2018.
Brexit has made it more complicated for schemes and employers to plan when, and whether, they need to comply with the big changes heralded by the GDPR.
So how might data protection reform look in the post-Brexit world? And what steps should employers and trustees of pension schemes be taking now?
Will the GDPR come into force in the UK?
The GDPR will come into force in EU member states on 25 May 2018. The summer of 2018 may be when the UK ceases to be a member state. It is therefore possible that the GDPR may only apply for a short period of time.
Might the GDPR framework apply even after the UK leaves the EU?
It could be the case that even if the GDPR doesn’t apply to the UK as an EU member state the provisions of the legislation end up applying anyway.
How this happens in practice will depend on the outcome of the exit negotiations, so there are a number of possible outcomes.
If the UK ceases to be an EU member state, but is accepted as an EEA state (like Iceland, Liechtenstein and Norway) the GDPR would need to be implemented in the UK as if it had never left the EU.
If the UK does not become part of the EEA then the GDPR framework might continue to apply, albeit in a different form. This is because in order to receive data transfers from EEA states – essential for international business – the UK would need to show it is providing 'adequate protection' for data. The simplest way to do this would be to implement the key provisions of the GDPR in equivalent UK national legislation.
Alternatively, following the exit from the EU, the UK could choose to implement a bespoke, less onerous and more business-friendly version of the GDPR. It is not clear what form this would take, but the legislation could potentially place a lower data protection burden on domestic data controllers such as trustees of occupational pension schemes, and impose the more stringent GDPR-type framework only on data controllers who are sharing data with EEA states.
In any case, organisations that are 'offering goods or services' to, or 'monitoring the behaviour' of, individuals resident within the EU will need to comply with the GDPR. It is not entirely clear whether operating a pension scheme would fall under either of these categories but there is a risk that, to the extent that a pension scheme has members resident in EU member states, the scheme trustees would be required to comply with the GDPR in respect of those members.
What action should employers and schemes be taking now?
Given the potential uncertainty about what shape the reforms to data protection legislation will take, and the run-in time until May 2018, a sensible approach may be:
- To consider taking the actions in the ICO’s 12-step guide on preparing for the GDPR (which principally involves checking that data protection provisions are compliant with the law as it currently stands, and that key decision makers are aware changes are on the horizon);
- Designating a key individual, committee or working group to keep a watching brief on this area; and
- Trustees co-operating with the scheme employer to make sure that a joined-up approach is taken on complying with any data protection reforms.
Oliver Topping is an associate at Sackers