International Data Transfers: Actions for pension schemes

Where contracts are in place with an element (or potential element) of data being transferred internationally, those contracts should be updated to reflect the legal changes that have taken place since Brexit, including updated guidance from the ICO, by 21 March 2024. If action is not taken, there is likely to be a technical breach of the UK General Data Protection Regulation 2018 (UK GDPR). 

As a trustee of a pension scheme, this may be a concern for you in relation to your service providers (who may or may not transfer some of the personal data of your members abroad). Where your scheme data is being transferred abroad (whether that transfer is being made by the scheme itself or its service providers), we recommend that you take steps to comply with the transition to the new set of standard terms if you haven’t already taken action. 

The legal changes post-Brexit

The UK GDPR contains restrictions on international data transfers. Personal data cannot be transferred outside the UK without appropriate measures to ensure that personal data is adequately protected.

The following are deemed appropriate measures by the UK GDPR:

1. adequacy decisions;
2. binding corporate rules;
3. approved code of conduct; or
4. standard contractual clauses.

Back in March 2022, the Information Commissioner’s Office (ICO) introduced two new types of standard contractual clauses:

1. the International Data Transfer Agreement (IDTA); and
2. the International Data Transfer Addendum (Addendum) to the new European Commission’s Standard Contractual Clauses (new EU SCCs),

replacing the old European Commission’s Standard Contractual Clauses (old EU SCCs) used by UK data exporters to transfer personal data outside the UK. We discussed the changes here.

The ICO granted a grace period until 21 March 2024 for UK entities to update their existing data transfer arrangements to use either the IDTA or Addendum to the new EU SCCs. 

Why this is relevant to your pension scheme?

As set out above, where contracts are in place with an element (or potential element) of data being transferred internationally, those contracts should be updated to reflect the legal changes that have taken place since Brexit, including updated guidance from the ICO, by 21 March 2024. This date is relevant for any entity in the UK that is having data that they are responsible for transferred abroad, whether that be:

1. transferring it themselves, or
2. a third party is transferring it that they have delegated responsibility to.

Of course, pension scheme trustees are data controllers for the purposes of UK GDPR and are therefore responsible for how their third party suppliers use their scheme’s data. 

Whilst some pension schemes may fall into the first category (e.g. if the scheme is transferring data to its overseas scheme employer), it is more likely that your scheme will be impacted via the second category. Namely, it may be that your scheme administrator (or other third-party service provider) transfers the data overseas, depending on the sub-processors that it uses and the services that it provides to you.

Depending on how up to date your data mapping is, you may not know whether your third party suppliers transfer data overseas unless you ask the right questions. 

What are the risks of non-compliance?

Should your scheme fall into either category and fail to take sufficient steps to comply, then this is likely to result in a breach of the UK GDPR. As a reminder, the ICO has the power to impose fines of up to £17.5 million or 4% of the total annual worldwide turnover (whichever is higher in the preceding financial year) on businesses for non-compliance.

In our view, we would not expect the ICO to issue fines to trustees who have not updated their GDPR addendums for this change before 21 March 2024, provided that trustees are taking active steps to remedy this technical breach of UK GDPR. If, however, trustees take an active decision not to take steps to address this issue or if this technical breach demonstrates a regular pattern of non-compliance with data protection issues then we would expect the ICO to take a stricter view. 

How your pension scheme can ensure compliance

With the deadline fast approaching it is important that schemes identify whether they (or third-party service providers) have existing arrangements in place incorporating the old EU SCCs, and to update (or request for updates to be made to) those arrangements accordingly.

Therefore, we suggest that you take steps to ensure compliance with these legal changes. There are two key aspects to this, which are:

1. Asking your third party suppliers whether they have made changes to their arrangements with their sub-processors to reflect these changes where relevant.
2. Reviewing the GDPR addendums in your third party contracts to check whether they need to be updated to reflect the changes. If you know that particular suppliers do transfer data overseas, we suggest considering the position for those suppliers as a priority. 

If the scheme itself transfers data overseas, then steps should be taken to obtain legal advice as to the new standard terms, at the very least. 

The key immediate action point (ideally ahead of 21 March 2024, but otherwise as soon as possible) will be to understand the position and to document progress and future plans to comply.

This might also be an opportune time to consider updating your scheme’s data mapping, particularly in light of the Pensions Regulator’s increased focus on cyber security in the last few months. 

Please get in touch with Richard Pettit, Samantha Howell or your usual Burges Salmon contact if you would like support with implementing these changes to ensure compliance with UK GDPR.