New Data Regulation, Brexit and the Pensions Industry.

Similar documents
DC Governance: Chair s statement

Adjustment and claw back of bonuses: new rules since 1 January 2014

U.S. Securities Law Briefing. SEC Raises Exchange Act Registration, Termination and Suspension Thresholds to Conform with JOBS Act and FAST Act

Reform of the Trustee Ordinance Consultation Conclusions.

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

IRS Provides Initial Guidance under Foreign Accounts Legislation.

Committee of European Securities Regulators consults on client classification under MiFID

ESMA publishes Part II Technical Advice on Retail Cascades and certain provisions of the Prospectus Regulation

ICB Interim Report on UK Banking Reform. 12 April 2011

Omnibus 3 - EU proposes centralized approval of certain prospectuses

DATA PROTECTION NOTICE

New legal framework for funds in Germany

The Market Abuse Regulation in Belgium

HKMA consults on amendments to the Guideline on Authorization of Virtual Banks - what do you need to know about setting up a virtual bank?

EMIR Update - ESMA Publishes Finalised Technical Standards

Takeover Code: September changes to profit forecasts and merger benefit statements regime

New data protection rules

Court of Appeal Rules on the ISDA Master Agreement

Shanghai Clearing House Launches Client Clearing Service

FATCA IRS Proposes Extending Certain Deadlines and Grandfathering Provisions.

Projected Compliance Timelines for the CFTC s Trading Documentation Rules and Uncleared Swap Margin Rules

CFTC Staff Issues Time-Limited No-Action Relief from Some Swap Data Reporting Requirements for Certain Counterparties

DATA PRIVACY & FAIR PROCESSING NOTICE

LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS

Linking executive pay to performance the challenges for 2016 Survey results

CFTC Staff Grants Relief from Clearing for Multilateral Compression Exercises and Partial Novation and Termination of Certain Swaps

Implementation of the PD Amending Directive in Luxembourg.

Management of Personal Information Policy (Privacy Policy)

Privacy Notice under the General Data Protection Regulation (GDPR)

Privacy Statement. Key Definitions. Data Controller. Processing

New legislation brings changes to how data is handled

New Investor ID Regime for China Connect how big is the impact?

Corporate Social Responsibility under the New Companies Act.

Moxtra, Inc. DATA PROCESSING ADDENDUM

EU Data Processing Addendum

Dematerialised securities under Luxembourg law.

Mandatory Clearing in Singapore Noteworthy next step

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

Towards a New Prospectus Regulation.

DATA PROTECTION ADDENDUM

Consultation paper on the Securities and Futures (OTC Derivative Transactions Reporting and Record Keeping) Rules

FCA calls for the unbundling of research from dealing commissions

A NEW ROYAL DECREE-LAW FOR THE RATIONALIZATION OF THE FINANCIAL SYSTEM HAS BEEN APPROVED

Hong Kong regulators publish proposed rules for mandatory clearing and expanded mandatory reporting

New Legislation on Pledges in Russia.

UK Tax Flash. Reform of the UK CFC Rules: The Next Chapter.

July 16, Key Takeaways: Contents

Mobius Life Limited Data Privacy Notice

Bond Connect - Frequently Asked Questions for the Buy Side Investors

SFC consults on enhancements to the OTC derivatives regime in Hong Kong: mandatory reporting, clearing and trading obligations

IRS Provides Further Guidance for Foreign Accounts Reporting.

European Commission Green Paper on Shadow Banking

China Finalises Rules on Cross-Border Transfer

Shanghai International Energy Exchange: Direct Trading Access for Overseas Participants

An amended regime on foreign investment control came into force on 18 July 2017, introducing stricter rules on German foreign investment control.

Claims Handling We process Your Personal Data in order to record and handle your insurance claim. This may include sharing your Personal Data with:

SFC Consults on Structured Products Marketing Regime

PRIVACY STATEMENT. There are terms in bold with specific meanings. Those meanings can be found in the attached Glossary.

ROSETTA STONE LTD. PROCESSING ADDENDUM

All Sorts UK Limited Data Protection Policy 17 th May 2018

Reform proposed by PRC SAFE

Relaxation of PRC regulatory restrictions on cross-border security and guarantees

UK Pensions. Trustees and Money Laundering Systems and reporting requirements. Summary of requirements

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

Put and call options: Recent Legal and Regulatory Developments

DATA PROCESSING ADDENDUM

Privacy Policy. Naval Group

China Banking Regulatory Commission s Reply to Questions on Close-Out Netting.

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

CPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary

1 Introduction. 2 Creditor Set-off as a Self-Help Remedy. October Contents. 1 Introduction 1

How to compute the one-month period under Article 346,3rd indent Income Tax Code, as applicable before 7 June 2010, in pending tax litigations?

Regulatory Capital. Contents. Introduction

U.S. Securities Law Briefing.

The Impact of Proposed Volcker Rule Regulations on Activities of Non-U.S. Banks Outside of the United States

DATA PROTECTION INSURANCE MARKET CORE USES INFORMATION NOTICE

New financial sector legislation: what do you need to know?

Linklaters Learning Hub Programme 2018

Privacy Statement v 1.1

Investment Online Submission Declaration form

POSITIVE SOLUTIONS FAIR PROCESSING NOTICE

Ark Syndicate Management Limited. Privacy and Transparency Notice. Version 1

Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC )

What U.S.- Based Investment Advisers Should Know

NDRC publishes draft revisions to Administrative Rules for Outbound Investments by Enterprises for public consultation

FINANCIAL SERVICES OPPORTUNITIES INVESTMENT FUND LIMITED Company Registration Number: PRIVACY NOTICE

Final recommendations of Walker review published

Financial Institutions (Resolution) Ordinance the derivatives angle

SAIC Releases Guidelines on the Enforcement of the Anti-Monopoly Law with Respect to IP Rights.

Tax Alert. Rules for the preservation of losses in case of a continuation of business enacted.

The CSSF clarifies the concept of independence under UCITS V

EU VAT: Cross-border chain transactions in the single market under scrutiny Court of Justice of the EU decision in Toridas UAB

Important information and declaration

DOJ s New Policy Incentivizes Voluntary Self- Disclosure of Criminal Export Controls and Sanctions Violations.

Tax News. The new Income Tax Treaty between Germany and the Netherlands. Overview. April 2012

DATA PROCESSING TERMS DEFINITIONS

Negative interest determined not to be payable under an ISDA Credit Support Annex

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

Appropriate Policy Document

Transcription:

December 2016 New Data Regulation, Brexit and the Pensions Industry. Thanks to high profile news coverage of data breaches and increasingly sophisticated cyber-crime, the public s awareness of privacy issues has never been greater. At the same time, technology has made the collection, use, storage and sharing of private data much easier than ever before. It is no wonder then, that the new General Data Protection Regulation ( GDPR ) seeks to impose more rigorous protections and tougher enforcement around the use of individuals data. What does this mean for pensions trustees? Pensions trustees have always relied on the use and sharing of significant repositories of members data in order to administer schemes. Often, the type of data handled by trustees is sensitive from both a cyber-crime and regulatory perspective, including members bank account data, benefits data, earnings data, information about partners and dependents, and health data. This data can be used for many different purposes, including to deliver services to members electronically, to leverage outsourced services and to work with insurers to hedge risk. All of these situations create potential risk under the GDPR. Contents What does the GDPR regulate?... 1 When might the GDPR be relevant?... 2 What will we need to do differently?... 2 What if the personal data is anonymised?... 4 Do special conditions apply to sensitive personal data? 4 How will Brexit impact compliance with the GDPR?... 4 This makes it crucial that pensions trustees understand how the GDPR will impact their use of data from 25 May 2018. What does the GDPR regulate? The GDPR regulates the processing of information relating to an identified or identifiable natural person (generally known as personal data ). Trustees tend to hold significant amounts of personal data relating to pension plan members and other beneficiaries, which may include sensitive personal data (such as relating to health or sexual orientation). This means they need to think about the GDPR and start putting in place measures to comply with it now. The changes brought in by the GDPR will require system and process changes which are unlikely to be capable of being bedded in within short timescales. New Data Regulation, Brexit and the Pensions Industry 1

When might the GDPR be relevant? Specific examples of where the GDPR might apply in the context of activities undertaken by trustees are: > when collecting personal data from members and using that data for administration purposes, including when data is shared with a third party service provider such as in the context of an administration outsourcing or offshoring; > in longevity swaps, and buy-in and buy-out contracts, and other derisking exercises such as pension increase exchanges or enhanced transfer value offers; these necessitate the involvement of multiple new advisers to the scheme and disclosures of personal data to third parties, such as for pricing purposes; > scheme mergers, when personal data is transferred between sets of trustees and the outgoing and incoming administrators; > in the context of corporate transactions (for example, where trustees are asked to provide personal data for inclusion in an online data room); and > when companies ask trustees to provide personal data for the purposes of company-funded independent financial advice, for example when members approach retirement. What will we need to do differently? The GDPR retains the same core rules from the current Data Protection Directive, but introduces some significant changes. These changes are detailed in our survival guide to the GDPR, a copy of which is available for download here. Broadly, they include: > Privacy notices: the notices you give to members detailing how their personal data is used will need to be updated to include a greatly expanded list of information, such as how long you will store their information and the various rights they have in respect of the information. At the same time, the GDPR expects you to deliver this information in a simple and easy-to-understand way. You may need to undertake a re-papering exercise to comply with the new rules. See page 32 of our survival guide. > Consent: consent to the processing of personal data will become more difficult to obtain from members in general. Existing consent may not be sufficient for GDPR purposes and, in addition, you may decide that you no longer wish to rely on consent unless absolutely necessary since members will now have the right to withdraw their consent at any time, which could have significant operational implications. You should review those situations in which you rely on consent and check that any consents obtained are adequate and properly evidenced. See page 22 of the survival guide. New Data Regulation, Brexit and the Pensions Industry 2

> Privacy impact assessments: the GDPR requires organisations to carry out an assessment of the risks of intended processing activities (e.g. sharing member data with new service providers). Where projects will involve high risks for members you will need to conduct a privacy impact assessment. In certain circumstances, you may also need to contact a data protection regulator about your impact assessment, so you need to ensure your impact assessment is carried out early which is more easily said than done in the new age of rapid digital innovation for pension schemes. See page 35 of the survival guide. > The right to be forgotten and related rights: members will have the right, in some circumstances, to require the erasure of their personal data, or have their personal data quarantined. Systems and processes will need to be reviewed to check whether this is technically possible and how any such requests would be dealt with in practice. See page 29 of the survival guide. > Obligations for data processing contracts: contracts with data processors, such as administrators and other service providers, will need to include a greatly expanded list of obligations, such as in relation to sub-contracting and assistance in carrying out privacy impact assessments. As data processors will have direct liability for breaches under the GDPR, they are more likely to seek indemnities from trustees for data protection fines caused by the trustees acts or omissions. Trustees should consider how they will approach the renegotiation of existing contracts with processors, as well as the implementation of the mandatory terms into processor contracts. See page 44 of our survival guide. > Data transfers: transfers of personal data outside of the EU, such as to back office service providers, will continue to be restricted, and the GDPR will also regulate the onward transfer of personal data after the initial transfer (e.g. to subcontractors and retrocessionaires). See page 46 of our survival guide. > Record-keeping obligations: although under the GDPR you will no longer be required to notify data processing activities to the regulator, you will need to keep records of the processing you carry out. This will require trustees to understand their processing in more detail and to ensure that their administrators are aware of the need to collect and submit this information. The survival guide sets this out on page 33. > Notifications of data breaches: data security requirements under the GDPR are enhanced, and there will be an obligation to notify a supervisory authority of a data breach, and the relevant individuals in certain circumstances, which significantly increases the risks resulting from data breach. The breach notification process is set out at page 40 of our survival guide. New Data Regulation, Brexit and the Pensions Industry 3

What if the personal data is anonymised? A common misconception is that data protection laws do not apply if names of individuals in a dataset are redacted. If an individual can be identified either from the dataset or from other data in possession of the business, the information will be personal data. An individual is identified when distinguished from other members of a group. For example, it may be possible to identify an individual from a redacted dataset (which does not include names) where other data fields disclosed include date of birth, post code and pension amount. This information may be sensitive personal information for example if provided with details of that individual s marital status (and therefore potentially sexuality) or details of retirement or of any illhealth. Do special conditions apply to sensitive personal data? The concept of sensitive personal data (referred to in the GDPR as special categories of personal data ) has been expanded under the GDPR. It includes new categories biometric and genetic data, and existing categories such as health data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning a person s sex life or sexual orientation. The core rules for sensitive personal data remain largely the same, and identifying a processing justification for sensitive personal data will continue to be challenging under the GDPR. How will Brexit impact compliance with the GDPR? The GDPR will almost certainly now apply in the UK prior to Brexit, and the newly-hyped Great Repeal Bill looks sent to entrench it into UK law after Brexit for at least a time. Therefore, trustees will need to prepare for GDPR compliance notwithstanding Brexit. If trustees have their personal data processed in other EU Member States, they will have to continue to comply anyway. Post-Brexit, in the absence of any special agreement, the UK would cease to be a member of the EU and would not automatically be considered, for the purposes of EU rules, to have implemented an adequate level of data protection (irrespective of the UK s adoption of the GDPR). This means that some organisations may need to think about how to legitimise transfers of personal data from within the EU to the UK post-brexit (for example, when service providers to non-uk organisations are based in the UK). This may be unlikely, however, to be an issue for the trustees of most UK based pension schemes perhaps unless they have members employed in any EU states. New Data Regulation, Brexit and the Pensions Industry 4

If you would like to discuss further, please contact your usual Linklaters contact or Georgina Kon (on +44 20 7456 5532) or Julian Cunningham-Day (on +44 20 7456 4048). Contacts For further information please contact: Georgina Kon Partner (+44) 20 7456 5532 georgina.kon@linklaters.com Julian Cunningham-Day Partner (+44) 20 7456 4048 julian.cunninghamday@linklaters.com Authors: Georgina Kon, Julian Cunningham-Day This publication is intended merely to highlight issues and not to be comprehensive, nor to provide legal advice. Should you have any questions on issues reported here or on other areas of law, please contact one of your regular contacts, or contact the editors. Linklaters LLP. All Rights reserved 2016 Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. It is a law firm authorised and regulated by the Solicitors Regulation Authority. The term partner in relation to Linklaters LLP is used to refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers or European lawyers. Please refer to www.linklaters.com/regulation for important information on Linklaters LLP s regulatory position. We currently hold your contact details, which we use to send you newsletters such as this and for other marketing and business communications. We use your contact details for our own internal purposes only. This information is available to our offices worldwide and to those of our associated firms. If any of your details are incorrect or have recently changed, or if you no longer wish to receive this newsletter or other marketing communications, please let us know by emailing us at marketing.database@linklaters.com. Linklaters LLP One Silk Street London EC2Y 8HQ Telephone (+44) 20 7456 2000 Facsimile (+44) 20 7456 2222 Linklaters.com New Data Regulation, Brexit and the Pensions Industry 5 A33127517/0.0/16 Dec 2016

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback