Speaker
|
Transcript
|
Helen Cracknell, Associate, Burges Salmon
|
Hi everyone and welcome to episode 5 of season three of the Burges Salmon Pensions Pod. My name is Helen Cracknell and I'm an associate in the Burges Salmon pensions team and I'm also joined by Chris Brown, a director in the team.
|
Chris Brown, Director, Burges Salmon
|
Hi Helen, hello everyone.
|
Helen
|
In today's episode we're going to be looking at data protection for pension trustees five years on from GDPR and we're joined by Isaac Bedi.
|
Isaac Bedi, Solicitor, Burges Salmon
|
Hi both, thanks for having me.
|
Chris
|
Hi Isaac.
So, Isaac, 25th of May 2018, a date that you and all in the pensions industry remember very well, when GDPR took effect and we remember advising on it at the time, but we're now five years on. So, it's been five years since GDPR has been enacted, can you tell us a bit about how the landscape's changed since it came into force?
|
Isaac
|
Yes definitely. So, I think when GDPR came into force in 2018, it was quite a steep learning curve for a lot of organisations, particularly pension schemes and trustees because they hold such significant amounts of data, there's a bit of a scramble for how do we comply with these new obligations.
I think initially when it came into force, we were advising a lot on just what these new obligations were, like what is a data controller, what do we need to put in place with our processes, what are data subjects rights, can you draft a notice, draft that's a privacy policy etc., and organisations wanted advice on GDPR a very basic level.
I think five years on from that now employers and trustees have generally got to grips of GDPR, I say that quite hesitantly because obviously it varies quite significantly from scheme to scheme, but I think at a basic level schemes and trustees have a general idea of what the fundamental principles are and what needs to be in place for them to be in compliant.
|
Chris
|
So I think you're absolutely right that schemes put in place the documents they needed back in 2018, so data protection policy and privacy notice and thought about their contractual provisions with third parties and their basis for processing data and that sort of thing, so I agree that groundwork was laid, I suppose different schemes are asking different questions and we'll come on to this a bit later on but we'll come up against different queries and things now but yes I agree that groundwork was it was laid back in 2018.
|
Helen
|
I guess Brexit has been a big change since then.
|
Issac
|
Yes and that's the irony really is that it kind of looks like it's all about to change again, so we'll talk about this later in more detail but generally the position post-Brexit is GDPR still applies, it's retained under UK GDPR and data protection act 2018 but the UK has been quite vocal about having its own standalone regime and there are reforms in place incoming which we'll talk about later, but that's going to bring with a whole new host of queries from trustees on how they can comply.
|
Helen
|
What kind of queries are you getting now from trustees?
|
Isaac
|
The queries we're getting now from trustees are much more specific and targeted and generally relate to more kind of complex or knotty issues, rather than normal compliance advice we were kind of giving at the beginning and those generally relate to examining data protection arrangements and clauses in place with third parties, particularly in relations to bulk transfer arrangements and buyouts, or where scheme's outsourcing to a third-party provider maybe but making sure data protections are arrangements are in place for that.
In particular as well, dealing with DSARs, so data subjects access requests, where members are requesting data and how the scheme can provide that compliantly, especially where the requests are really wide. Our team do a lot of data breaches generally, but for pension schemes it's less of the big ransomware attacks and more human error breaches, where maybe you've sent a member's data to a different member and you need advice on how you can remedy that compliantly, and we give advice on that regularly and we're putting together a package of data breach response documents that can advise schemes on how they can do that.
|
Chris
|
Yes and some schemes have put in place a data breach instant response plan, is that what you're thinking of, or is it a different package?
|
Isaac
|
It's a package of everything that's definitely one thing, and it generally gives you advice on what your obligations are when you suffer a breach and that can form part of your database response plan but often it's just advice on a checklist of what you need to do, because when it happens your head's in a bit of a scramble, you need to know in a clear checklist you need to notify XYZ, you need to call XYZ and it just gives you clearly what you need to do.
|
Chris
|
We're definitely seeing trustees choose to put that sort of plan in place and as you say I've seen them with template emails as to this is what you can say to members at the outset, and the other thing that I suppose I didn't really think about until you actually do start thinking about it is secondary communication lines because if there's been a data breach and communication lines have gone down then how do you liaise with your administrator to make sure pensions are paid on time? So we're definitely seeing that.
Interesting you mentioned breaches at the outset though, because one of the interesting points that you'll know better than I do but has always struck me as really, really interesting is that when the GDPR came in there was a lot of talk about there being mandatory reporting of a breach to the ICO, but my understanding is that's not quite right and that you don't have to report every single breach, but there's a test around the likelihood of there being a risk to members rights and freedoms?
|
Isaac
|
Yes there is a threshold and not all breaches are reportable and and to be completely honest the ICA has done that because they don't want to hear about every little email that's been sent, so there is definitely a threshold and that's one of the first things we advise on and there's two separate thresholds one of which is notifications to the ICA but the other's notification to affected members as well and which carries a higher threshold, but yes every breach is different, they all carry their own considerations and there's definitely a test that probably we as lawyers need to apply when assessing this.
|
Chris
|
Yes absolutely. That's the sort of queries we're getting from trustees at the moment.
I was liaising with a trustee board last week and they are getting ready for buy in and buyout, so they're approaching insurers for quotes and as part of that they wanted to make sure that they properly understood their proportion married, so the proportion of the members that are married and, Isaac, they wrote out to members to say give us details of your spouses or dependents under the definition dependent in the rule, and they asked us to think about data protection there because of course that's members telling trustees about their spouses who are not members of the scheme yet, they're not beneficiaries yet, because the member hasn't died, so that's quite interesting how members pass on information to trustees, personal data to trustees, about their other halves.
|
Isaac
|
Yes and that's a really common issue really isn't it, it's good that I spoke to you because my first piece of advice would be speak to lawyers about how to deal with it, but yes I think that there it's a difficult one for schemes because what do you do and you've been given third-party data that you kind of need but you can't get consent for, and I think the answer to that really is there's not a lot you can do, you're processing that third party's data and I think you have to rely on the assumption that that member has got consent from that third party to do it and direct them to your privacy notice which outlines how you're processing that data on their behalf.
|
Chris
|
Yes absolutely and we put wording saying that into the letter to members.
|
Helen
|
We've had a lot of queries from clients about updating their data sharing agreements, particularly in line with Brexit, but how do you think the UK's data protection regime is going to change post-Brexit, you kind of alluded to this earlier but I think we're waiting on a lot of change, we don't know what's going to happen yet?
|
Isaac
|
Yes, I think there's a lot of big changes incoming, it's interesting you mentioned about data sharing agreements because I'll touch on that briefly in a minute, but just as an overview the UK is moving to its own standalone data protection regime, the general point around this because I'll talk about it more in detail in a second but the general point around it is the UK has done a lot of marketing and kind of shouting about its new standalone regime with a lot less red tape, less restrictions, but essentially they're still reliant on an adequacy decision that's in place between the UK and the EU and adequacy decisions in short essentially rely on there being an equivalent regime in place, so the UK, if it wants to maintain that which it definitely does, is quite limited in in how far it can move away from GDPR, it can obviously have its own standalone regime and has been very strident about saying that, but I think the reality is that there's a limit on how far they can diverge from GDPR.
|
Chris
|
So Isaac, just to jump in, so it won't be able to diverge too far from GDPR, but do we know what some of the differences will be, do we know that?
|
Isaac
|
Yes so there's two big changes I suppose, one that's already enforced, another one incoming. So the first in relation to international data transfers. So as a bit of a basic refresher, organisations can't transfer personal data outside the UK unless appropriate safeguards are in place, so the first of which in the most relied on is that accuracy decisions which we just talked about, so that's where a country recognises another country is having adequate or essentially equivalent measures in place to protect personal data, so that's in place between the EU and the UK until 2025, as we said the limit there is that the the UK can't diverge too much from GDPR or that decision will be revoked and I think this is not really an empty threat from the EU they've done this before and famously the Shrem's judgments took away the adequacy decision in place of the USA, which made it very different, transatlantic flows of data became very difficult and now need appropriate safeguards, so I think it would be quite a major blow to the UK for that to happen.
|
Helen
|
And what was the second point, sorry?
|
Isaac
|
Yes, the second point is where an adequacy decision can't be relied upon, that needs to be appropriate safeguards in place so that's a number of things but you know the most famous and the most frequently relied on is standard contractual clauses or SCCs and then if either of those don't apply you can rely on an exception or deregation but the change from the UK law perspective is that there's a new international data transfer regime, called international data transfer agreements, which essentially allow organisations from September last year to use that as an appropriate mechanism, kind of replacing the SCCs. So organisations now will use either the IDTA, international data transfer agreements, or they can still use the new EU SCCs which came to force in 2021 by way of an addendum to the IDTA.
So it's really for organisations to choose how they want to use these mechanisms. Without getting into too much detail on what the difference is IDTAs are essentially mirrors of the SCCs, they're a set of clauses you put in places of data to protect that data albeit that the difference is they're slightly more flexible in how you use them.
|
Chris
|
Isaac, so I guess trustees mostly see these provisions around international data transfers in their service agreements with third-party providers and most commonly with their administrators, some of whom do the data processing in the UK, some do it in the EA and some do it outside of the EEA, so how much will those need to be updated, just tell us a bit about that?
|
Isaac
|
Yes so the main point to flag I suppose is that all contracts involving international data transfers need to be remediated by March 2024, so as you touched on there's a variety of different kind of transfers, this is this will be for transfers outside the EEA, and as you also touched on it's rarely trustees who are transferring this data, it's normally on their behalf, so let's say where you have a banker and insurer who's paying the benefits to a member who's outside of the EEA, they'll be the ones transferring that data, so from a trustee perspective it may not be them directly remediating this contract.
|
Chris
|
But there'll be the data controller, right?
|
Isaac
|
Exactly yes, so as a data controller they have responsibility for that data and they need to make sure that their third parties are transferring it in a compliant manner, so that will be making sure that third parties are remediated their contracts properly, normally by way of a contractual mechanism in their own contracts with third parties that make sure that they update these and comply with data protection law.
|
Helen
|
And will there be any changes required if they're just transferring data within the UK?
|
Isaac
|
No, because it wouldn't it wouldn't be an international data transfer and similarly as we touched on there's still the adequacy decision in place with the EEA to transfer soon from the EEA and know what they required.
|
Helen
|
That makes sense.
|
Isaac
|
Since the recording of this podcast the government's reintroduced the data protection and digital information bill back into Parliament. This doesn't affect the points raised in this podcast, but trustees should ensure they keep up to date with developments as this bill makes its way through Parliament. You can keep up to date with these developments by following the updates posted on the Burges Salmon website.
|
Helen
|
I've heard about the data protection and digital information bill, is that the new UK legislation that's coming into force?
|
Isaac
|
Yes so this is the UK's new standalone regime and so this is the kind of answer to the GDPR. It's quite difficult to talk about because it's still in draft stage, it's been postponed a number of times due to obvious political turmoil. So there's obviously quite a few changes in leadership recently and I think they put it on the back burner but it's been really hotly debated.
|
Chris
|
Do we know anything about possible changes or differences from EU GDPR?
|
Isaac
|
Yes, so there's quite a few, I mean as I said it's difficult to conclusively talk about it because we don't know what these will look like in final form, but as currently drafted there's probably a few key ones I suppose trustees especially will want to be knowing about, so the first one's amendments to the definition of personal data.
So this is a really hotly debated one, but I think there's been a push from the UK government in recent years to relapse the definition of personal data and particularly in respect of anonymisation, so the anonymisation on the current GDPR is quite difficult, the idea of relaxing the definition would mean that anonymisation becomes much easier, which is beneficial for organisations because when you anonymise data you remove the person, the identifiable information, which means it no longer constitutes personal data, no longer falls within the scope of data protection, you no longer need to comply with those obligations, which is could potentially be quite a big benefit for a lot of organisations and remains to be seen what that would look like, so we don't want to talk about it in too much detail but that could be quite an interesting one.
But pensions schemes and trustees particularly, there's going to be some additional requirements in relation to DSARs. DSARs are often quite administratively burdensome, at the moment you can refuse a DSAR if it's manifestly unfounded or excessive and that's going to be widened slightly with a few new grounds as well such as requests that are submitted in bad faith and it should hopefully give organisations a little bit more flexibility in how they deal with these and the last one that would be quite interesting for trustees is record keeping, sounds quite boring but it's quite a key obligation so obviously there's an obligation to keep records at the moment on the GDPR and that'll be replaced with a requirement to keep appropriate records and that seems like quite a nit-picky change the law but it's actually quite important because it should hope for organisations slightly more flexibility in how they do this and base their record keeping on their size and capabilities and things like that so hopefully reduce the administrative burden a little bit.
|
Helen
|
So when the new legislation comes into force, do you think trustees will have a big job in redrafting their policies and relevant documents around this?
|
Isaac
|
Yes and no, I think it's definitely going to be a big change, it's going to be like GDPR in 2018 where a new regeme comes in and there's a lot to do and I think it really involves it will involve re-drafting policies, redrafting procedures, reassessments of how you approach things like dealing with DSARs and definitely update the training, but I think on the flipside as we touched on there's only so far that this legislation can divert from GDPR, so I think while a lot of these, yes it's definitely going to require updates to policies and procedures and stuff and maybe the names of stuff might change, but I think the concepts behind it are ones which won't be too ready trustees so I think getting to grips with it should hopefully take place on a shorter time scale than it did when the GDPR came into force.
|
Chris
|
Yes and I suppose one other connected point is it's not as though trustees put these policies in place in 2018, have sat on them and will need to update them when the law comes into force, there's that ongoing duty to ensure compliance isn't there, so trustees ought to be considering their data protection obligations as a matter of cause, if they're say liaising with a new service provider, perhaps IFA, that's one example I've seen recently, they should be thinking 'oh do I need to update my privacy notice, what I'm telling to members, the grounds for doing this particular bit of processing' or whatever.
|
Isaac
|
Yes, definitely and I think that's one of the key things to plug I suppose, you'd be surprised how many organisations just generally and pension schemes did this in 2018 as a tick-box exercise then stuck it in a drawer and didn't really think about it, and you see that a lot with stuff like incident response plans as well where it's kind of like 'oh we put it in place but we never really look at it again' but this is definitely a ongoing obligation that they should be considering every time they're processing personal data and yes it's definitely one they need to keep abreast of.
|
Helen
|
Definitely a big aspect of data protection is the need to keep data safe and you mentioned breaches earlier, is cyber security something that you've been advising trustees on frequently in your day-to-day?
|
Isaac
|
Yes definitely, advising everyone on really. I think the general trend in the industry right now is that cyber attacks are on the rise significantly. So during the pandemic there was almost a 600% increase in the number of attacks and I think that they're becoming significantly more sophisticated and they're targeting new areas, so for example the financial sector has been really hit with cyber attacks recently and I think that's because they're really attractive targets for hackers because they hold large amounts of personal data and they've got access to quite a lot of capital to pay any ransom, and while pension schemes I suppose aren't as attractive, they're still definitely a target, in particular maybe less so pensions schemes but more the sponsoring employees and third parties that are involved, and trustees definitely need to look at the risks surrounding that and make sure they have proper protections and policies in place, so as we touched on, database response plans, reviewing their third-party contracts, maybe considering cyber insurance if it's appropriate for this scheme, are all definitely stuff that they need to be looking at.
|
Chris
|
And it feeds into good governance and the Regulator has a very big focus on cyber security and you can see that coming through in the draft single code where the Regulator's publications about cyber security have been strengthened, they were previously principles and and guidance effectively, but they're now being codified so they're given that increased importance.
Isaac, just before we wrap-up the pod, what about tips for best practice?
|
Isaac
|
So in terms of best practice it's all the same things you would normally follow, it sounds quite obvious but it's stuff that needs to be ongoing, so ensuring properties of passwords, using multi-factor authentication, firewalls, VPNs where possible and ensuring as well that you're properly up to date with phishing scams and phishing policies and you're following appropriate guidance there, so I think people think of phishing as like back in the day you get an email from like a distant relative saying you've won the lottery or they've got an inheritance for you and it's really obvious, they're much more sophisticated now and they're actually one of the number one causes of cyber attacks, so just making sure you're aware of guidance around that and then generally just adhering to data protection best practice, so encrypting your data especially when transferring, not holding it for longer than necessary, and deleting it where necessary and backing it up as appropriate, it's all stuff that I think trustees would've sat through cyber security and data protection training on this, and again it's very important.
|
Chris
|
Yes exactly. I'll just add one as well, which is what we see trustees asking us about, is about insurance. So check in terms of insurance cover, does it cover cyber risk and if it does, does it give you the scope and extender cover that you think it does?
|
Isaac
|
Yes and that's a really big one, I mean the data breaches we've dealt with recently, insurance has played a massive part especially in relation to making sure you follow the steps necessary where it is in place to make sure you maintain cover, so a lot of these policies will have in place clauses that require you to do certain things upon the breach or you will lose that cover and obviously with cyber attacks the cost is very expensive, both in terms of instructing third parties to remediate it and the cost of your business in general, so making sure you have that cover in place to recover that is particularly important and also making sure you don't lose it obviously.
|
Helen
|
Yes, so you've covered a lot today, definitely a lot still to come, Isaac could you just give our listeners three key takeaways?
|
Isaac
|
Yes sure. So I think the three main ones are international data transfers, as I touched on, trustees making sure they're taking the appropriate steps and getting their third parties to ensure compliance with that, data protection and digital information bills, huge, as we've touched on we don't know too much about it it's very much this is on the horizon, watch this space, but definitely keep your eyes open for updates, and we at Burges Salmon will be putting out updates regularly on that so definitely follow along, and the last one I think you touched on Chris which is ongoing obligations, just making sure that trustees are aware of what their obligations are, aware of what they need to do to comply and are making sure they take those steps.
|
Chris
|
Yes so lots to look out for, I think that's been really, really useful, thanks Isaac for coming on the pod.
|
Isaac
|
No thanks both for having me.
|
Chris
|
Thank you for listening to the Burges Salmon Pensions Pod with me, Helen and Isaac.
If you'd like to know more about our pensions team and how our experts can work with you, then you can contact myself, Helen or any of the pensions team via our website. If you enjoyed this podcast you may also enjoy listening to our next and last episode of season three which will be available, as this one is, on Apple, Spotify or wherever you listen to your podcasts.
Don't forget to subscribe, and thanks for listening.
|