ARE YOU READY FOR THE NEW DATA PROTECTION LAWS?

Similar documents
Pension Trustees. Final Countdown to the GDPR

The New EU General Data Protection Regulation (GDPR)

DATA PROTECTION NOTICE

The Pension and Life Assurance Plan of NG Bailey (Scheme) Privacy notice

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

WHAT DOES THE GDPR MEAN FOR PENSIONS?

Pension Trustees Final Countdown To GDPR

General Data Protection Regulations Briefing (the presentation you ve all been waiting for)

Southern Golden Retriever Rescue Data Protection Policy

Man and Machine - Data Protection Policy

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Firefighters Pension Scheme

LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS

EnerSys UK Pension Scheme (the Scheme) Privacy Notice

Customer GDPR Data Processing Agreement

DATA PROTECTION POLICY. AtonLine Limited

Revising policies and procedures under the new EU GDPR

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

Data Protection Act Policy

DATA PROTECTION POLICY

Privacy Notice under the General Data Protection Regulation (GDPR)

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

European Union General Data Protection Regulation

KCSP Data Protection Policy

CHARITY & NFP LAW BULLETIN NO. 419

All Sorts UK Limited Data Protection Policy 17 th May 2018

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Requirements of explicit consent

Appropriate Policy Document

Highland Distillers Pension Scheme (the "Scheme") Privacy Notice

DATA PROTECTION LAWS OF THE WORLD. Czech Republic

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

Privacy Policy and Personal Data

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

WHAT DECISIONS WILL YOU NEED TO TAKE? GETTING READY FOR THE GDPR PART FOUR LEGAL ISSUES AND TRUSTEE DECISIONS

Guidance: The new EU General Data Protection Regulation: Implications for Australia

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

DATA PROTECTION POLICY

DATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE

GLOBAL DATA PROTECTION POLICY URUP

The Nortel Networks UK Pension Plan (the Plan) Privacy Notice

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

General Data Protection Regulation (GDPR)

LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS

A distinctive local company with national standards. Practical Credit Control & New [GDPR] Data Protection Regulations

Processing under the GDPR: risk and liability shifts

Mobius Life Limited Data Privacy Notice

IRIS Group of Companies Customer Data Processing Terms

Depending on the circumstances and the stage of your membership, we may hold some or all of the following information about you:

BREXIT AND DATA PROTECTION Q & A

GUIDANCE NOTE ON THE DATA PROTECTION ACT Information for clubs & county associations

Privacy Statement for Intermediaries

FULL PRIVACY NOTICE. for the members and beneficiaries of the South Yorkshire Pension Fund

APPLICATION FOR A TEMPORARY ROAD CLOSURE WITHIN THE FUNCTIONAL AREA OF SOUTH DUBLIN COUNTY COUNCIL

Data Protection Cayman Islands

Management of Personal Information Policy (Privacy Policy)

Data Protection Policy. Newbury Academy Trust

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

Privacy Policy Statement

North Yorkshire Pension Fund

INFORMATION ON PERSONAL DATA PROCESSING in Connection with the General Meeting of ČEZ, a. s.

PRIVACY NOTICE Use of Information Data Controller and Data Processor

This information, or "personal data" as it is often referred to, must be processed according to the principles contained within the Regulation.

Data Protection Policy

Data Privacy Notice. Who are we and why do we register and use personal data?

privacy notice who is responsible for processing your personal data and who you can contact in this regard reasons for processing your data

GENERAL DATA PROTECTION REGULATION (GDPR) MADE SIMPLE GUIDE

Data protection and transfer

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

THE UNIVERSITY, CAMBRIDGE IN AMERICA AND THE COLLEGES DATA SHARING PROTOCOL

POSITIVE SOLUTIONS FAIR PROCESSING NOTICE

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

GDPR: The future of marketing and commercialisation of data. Alexander Brown & Matt Dyer, Simmons & Simmons

Institutional Investment Advisors Limited

Fair Processing Notice

Your Right Hand Finance Ltd (YRH) Subject Request Policy

Data Processing Appendix

GDPR update and its impact on accountancy practices

What is a Fair Processing Notice (FPN)? To ensure that we process your personal data fairly and lawfully we are required to inform you:

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

henriksen limited This document sets out how Henriksen processes data and your rights as the data subject.

DEAL BY SEA LTD PRIVACY NOTICE

Quotation/Inception. Renewal. Policy administration. Claims processing PRIVACY POLICY

3.6. Please also note, unless your policy confirms otherwise, the rights under your policy may only be pursued in an English court.

New Data Regulation, Brexit and the Pensions Industry.

Data Protection Privacy Notice for people not directly involved in the accident

European Regulatory Snapshot: The Amended Transparency Directive

LOCAL GOVERNMENT PENSION SCHEME. Memorandum of Understanding regarding Compliance with Data Protection Law. Introduction

Data Processing Addendum

Privacy Notice Student Loans Company Ltd

GENERAL DATA PROTECTION REGULATIONS PRIVACY NOTICE

Privacy Statement v 1.1

AML et Protection des données : un mariage difficile? 26 September 2017

EU Data Processing Addendum

CPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary

URBAN AIRSHIP DATA PROCESSING ADDENDUM with EU Standard Contractual Clauses. (Revised September 2017)

Transcription:

ARE YOU READY FOR THE NEW DATA PROTECTION LAWS? GETTING READY FOR THE GDPR PART ONE DATA PROTECTION LAWS ARE CHANGING

DATA PROTECTION LAWS ARE CHANGING On 25 May 2018, the General Data Protection Regulation (GDPR) goes into effect in all member states of the European Union, including the United Kingdom. KEY POINTS The GDPR comes into effect in May 2018 The GDPR will apply to trustees New data protection laws and regulations will come into effect across the EU on 25 May 2018. Pension scheme trustees are typically data controllers in respect of a scheme's personal data. New legal duties and higher fines Trustees will have to take action The GDPR applies a range of legal duties on both data controllers and data processors. In addition, the maximum levels of fines for data breaches are materially higher. As data controllers, Trustees will need to take action to ensure that they comply with the GDPR. This will include making important decisions relating to data protection. What is the new data protection law? The new data protection law is the General Data Protection Regulation (the GDPR). As an EU regulation, it will apply directly in all of the EU's member states. The GDPR will replace the current data protection regime under the EU s Data Protection Directive 1995 (brought into effect in the UK by the Data Protection Act 1998). When will the law on data protection change? The GDPR goes into effect in all EU member states (including the UK) on 25 May 2018. The UK will also have new domestic legislation in a new Data Protection Act. The Data Protection Bill 2017 19 is currently passing through Parliament. What are the biggest headline changes under the new data protection regime? There are two key changes that will transform how people think about data protection: 1 Data processors will, for the first time, have direct legal duties under data protection legislation Under the Data Protection Act 1998, only data controllers owed direct legal duties. Under the GDPR, data processors will also have direct legal duties. Legal02#71140122v1[IDC1] 5

In a pensions context, this means that service providers (such as administrators) and professional advisers (such as investment consultants) are likely to press for more comprehensive coverage of data protection issues in contracts and push for stricter delineation of roles, responsibilities and liabilities in these agreements. 2 Fines will be materially higher Under the Data Protection Act 1998, the maximum fine for a serious breach of data protection law is 500,000. Under the GDPR, the maximum fine will, depending on the type of breach, be either: the higher of 20 million Euros and 4% of global turnover; or the higher of 10 million Euros and 2% of global turnover. Most of the obligations under the GDPR fall under one of these two sets of fines. In the pensions industry, this means that data protection issues will be more central to negotiations on contracts and are likely to feature more prominently on everyone s list of priorities. In addition, it is likely that employers will be more concerned to ensure that trustees are complying with their data protection obligations. What are the data protection principles under the GDPR? The Data Protection Act 1998 set out eight data protection principles that guided the legislation and regulatory regime. This approach has been followed in the GDPR. There are six principles set out in the GDPR along with an additional overriding principle of accountability that applies to all aspects of the regime: 1. lawfulness, fairness and transparency; 2. purpose limitation; 3. data minimisation; 4. accuracy; 5. storage limitation; and 6. integrity and confidentiality. In plain English, the principles can be understood as requiring that when personal data is processed, it is: ACCOUNTABILITY Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary Accurate and kept up to date Retained for no longer than is necessary Processed in a manner to ensure appropriate security Legal02#71140122v1[IDC1] 6

Why is there also a Data Protection Bill in the UK? The government has brought a new Data Protection Bill before Parliament. This is not intended to duplicate or transpose the provisions of the GDPR into UK law. Instead, the Data Protection Bill 2017 19 will: 1 Extend the scope of the GDPR The GDPR sets out a general framework, but requires Member State or further EU legislation to provide a comprehensive data protection framework. The Data Protection Bill will provide the UK s member state legislation to ensure that the GDPR works in the UK. 2 Fill in some of the gaps in the GDPR with UK legislation The GDPR sets out the guiding principles and the general framework for an EU-wide data protection regime. More detailed provisions are then expected to be set out in additional EU or member state legislation. The Data Protection Bill will provide this additional legislation in the UK and will help to ensure that the GDPR works as intended. 3 Set higher standards in respect of control over personal data The Conservative Party included commitments on data protection in their manifesto in the run up to the General Election held in June 2017. The government is therefore committed to give people more control over use of their data, and providing new rights to move or delete personal data. These will go over and above what is required in the GDPR. 4 Preserve, where possible, the tailored exemptions under the current data protection regime The Data Protection Act 1998 contains a series of exemptions which help UK businesses, researchers, financial services, journalists and lawyers to do business. The Data Protection Bill seeks, as far as possible, to retain these exemptions and provide continuity for anyone engaged in these areas in the UK. 5 Repeal the Data Protection Act 1998 The Data Protection Bill includes provisions to repeal the Data Protection Act 1998 and to clarify the role of the Information Commissioner's Office. It will also ensure that any provisions of the Data Protection Act 1998 that need to be carried forward are preserved in primary legislation. The Data Protection Bill will not transpose the GDPR into UK legislation. This will be achieved via the European Union (Withdrawal) Bill. The government and the ICO have, however, confirmed that the UK's data protection regime will not be materially changed as a result of the UK's withdrawal from the European Union. Why is data protection relevant to pension scheme trustees? The GDPR's main focus is to regulate the processing of personal data. Pension scheme trustees need to process personal data for a number of reasons, including: administer the scheme in line with the scheme's governing documents; pay the correct pension benefits to the right people at the right time; and to exercise discretions and make decisions in line with the scheme's governing documents and their duties under trust law. Legal02#71140122v1[IDC1] 7

Trustees will usually be data controllers in respect of their scheme's personal data. Under the GDPR, data controllers are required to process personal data in line with the data protection principles and comply with a range of specific legal requirements. What are the main things that pension scheme trustees will have to do next? The GDPR encourages data controllers to put in place: data protection by design; and data protection by default. In practice, this means that data controllers (such as trustees) will need to think about the policies, processes and procedures and ensure that they reflect the data protection principles. Trustees should consider the following key issues: Understand your scheme's data and your legal obligations Pension scheme data is usually held on paper files and/or computer systems. This data is often shared with third party service providers. As data controllers, trustees will need to understand what personal and sensitive personal data the scheme and any third parties hold, use and share. As a data controller, trustees will be expected to understand their legal duties and demonstrate how they've complied. Part two of this Guide focuses on this in more detail. Consider the role of third parties and contractual terms Third party service providers are key to the administration and running of many pension schemes. Trustees need to understand and review how the scheme s administrators, actuaries, lawyers and other advisers use the scheme s data. They will also need to review and possibly renegotiate the contractual terms that are in place with any third parties. Part three of this Guide focuses on third parties in more detail. Make decisions about legal issues on data protection Data controllers will need to make decisions on a range of issues relating to data protection. One of the most important decisions will be to agree the legal basis upon which the Trustees process the scheme's personal and sensitive personal data. Trustees will also have to record these decisions in order to demonstrate accountability. Part four of this Guide looks at privacy notices in more detail. Communicate with data subjects by issuing data protection notices Data controllers are required to give certain information to individuals about how and why their personal data is used. This is usually done by issuing data protection notices (also referred to as privacy notices). Under the GDPR, data protection notices need to be more detailed and specific than under the current data protection legislation. Part five of this Guide looks at this in more detail. Review the scheme's policies and procedures Data controllers need to ensure that they have put in place appropriate technical and organisational measures. This means understanding and reviewing how the scheme (and any third parties) store, secure, share, back-up and monitor personal data. Data controllers will also have to demonstrate how they have complied. A compliance record can help with focusing on the key tasks, managing the compliance project and documenting the steps taken. Legal02#71140122v1[IDC1] 8

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback