GDPR: Implications for Pension Schemes
As an employer, you have an interest in ensuring that your scheme will be ready to comply with the new law.
GDPR applies to pension schemes too. The practical implications of GDPR depend largely on the type of pension scheme that you offer for your workers.
If you offer a contract based scheme (such as a group personal pension), the onus of GDPR preparation for the scheme will fall largely on the provider. The same is true if you participate in one of the commercial master trust schemes used by many employers to comply with their automatic enrolment obligations. If you have your own trust based occupational pension scheme, however, there is more work to do. The legal responsibility falls primarily on the scheme trustees.
Trustees of occupational pension schemes should now be well on track with their preparations for the implementation of GDPR on 25 May. Those who are not need to take urgent action.
Key GDPR related action points for scheme trustees include:
- Issue new GDPR compliant privacy notices to members. Alternatively, some trustees may prefer to review and update existing notices.
- Review and update other scheme documents such as membership forms and death benefit nomination forms.
- Contact external administrators and other service providers to check what scheme data they hold and the compliance measures they are taking.
- Identify the categories of data held and the legal grounds for processing it. So far as possible, pension schemes will want to rely on grounds other than consent.
- Review and update contracts with service providers to ensure they contain suitable GDPR provisions.
- Put in place a policy for identifying and reporting any breaches to the ICO.
- Prepare a GDPR policy to document processes and to help demonstrate compliance.
As an employer, you have an interest in ensuring that your scheme will be ready to comply with the new law. Compliance breaches may reflect administrative weaknesses in the scheme. They may also damage its reputation in the workplace. Under most schemes, the costs associated with non-compliance (including potential fines) may ultimately be borne by the employer.
Scheme trustees and employers should discuss GDPR and cyber security issues. Working together, especially in matters such as IT support, will help to minimise overall costs.
You may already have made a substantial investment in ensuring that your business will be compliant with GDPR. If you have not already done so, ask the trustees of your pension scheme to confirm the status of their preparations. There is still time for you to share your experience and to provide support if it is needed.
Mark Poulston (firstname.lastname@example.org) heads the pensions team at Weightmans LLP and is based in Liverpool. Should you require any guidance on this issue, please do not hesitate to contact Mark or speak to your usual Weightmans advisor.