With 25 May 2018 fast approaching, most pension schemes have work well underway in terms of preparing for the General Data Protection Regulation (GDPR). Trustees and employers need to understand their respective responsibilities under the GDPR, and ensure that updated processes and procedures in respect of their pension arrangements are in place. Although the GDPR will introduce a uniform set of requirements throughout the EU, it permits member states some latitude to adapt the law to suit their needs. The Government is repealing the UK’s existing Data Protection Act 1998 (DPA) and introducing new legislation, currently in the form of the Data Protection Bill, with the aim of giving the UK “one of the most robust, yet dynamic” sets of data laws in the world.
Why is the Bill being introduced?
The Bill is designed to bring the provisions of the GDPR into UK domestic law, subject to certain amendments, and to make our data protection laws “fit for the digital age.” It will also implement the Data Protection Directive, which applies to “competent authorities” such as the police.
One of the UK specific modifications proposed by the draft Bill is a specific pensions easement. The wording is currently somewhat tortuous, but we believe that it is intended to help trustees where they are holding sensitive personal data (known as “special categories of personal data” under the GDPR), in respect of certain dependants, where it would not be reasonable to expect trustees to get consent, for example, under a death benefit nomination form. An easement along these lines already exists (in the Data Protection [Processing of Sensitive Personal Data] Order 2000], which allows processing of sensitive personal data in similar circumstances, but it is limited to specific individuals (namely, the scheme member’s parents, grandparents, great grandparents and siblings).
We are currently awaiting further clarification of the intended remit of the Bill’s wording. By implementing the GDPR directly into UK legislation, the Government is also aiming to ensure that we have appropriate safeguards to enable the continued free-flow of personal data across the EU, something which will be required for the UK’s future trading relationships in our post-Brexit world.
The Government has explained that without the new Bill, the GDPR would apply in the UK alongside the existing DPA until the Brexit process has concluded, leading to “legal uncertainty and confusion for both individuals and organisations in applying the law.” As the Bill, once in force, will apply both before and after the UK leaves the EU, it will therefore attempt to both hardwire the GDPR’s provisions into UK legislation and at the same time replicate and update the relevant provisions of existing legislation. The upshot of this approach is that, in order to understand the Data Protection Act (as it will become), it will be necessary to read it alongside the GDPR. Reading two substantial pieces of legislation in tandem will of course present its own challenges in practice.
The Bill was announced in the Queen’s Speech on 21 June 2017, with subsequent publication last September. However, it is still making its way through Parliament and hopes for a Data Protection Act 2017 have now turned to a definite Data Protection Act 2018.