Over two years after the General Data Protection Regulation 2016 (GDPR) came into effect, a number of recent events have thrown data protection compliance issues well and truly back into the spotlight. Many trustees will, no doubt, have gone through a rigorous process in 2018 to bring their data protection policies and procedures up to scratch, but recent developments have demonstrated the importance of treating GDPR compliance as an ongoing obligation, rather than a one-off, tick-box exercise. 

In this article we set out our top five steps that trustees can take now to help ensure that they can weather recent changes to the data protection landscape. 

 1. Check your GDPR health 

GDPR policies and procedures put in place in May 2018 are not intended to be static and should be subject to regular review to ensure they remain compliant with current law and guidance. Particularly if you haven’t done so since May 2018, now is a good time to do a GDPR health-check to see where there are gaps that should be plugged. Take a look at all your data protection-related policies and think about what has and hasn’t worked from a GDPR compliance perspective over the last two years so that you can amend accordingly. 

It is also a good idea to look at relationships with third parties with whom you share personal data, such as pensions administrators and third party suppliers. Make sure that you have up-to-date contracts in place with those third parties dealing with the data sharing and setting out the parties’ respective compliance responsibilities. 

Many trustee boards also have a data sharing agreement with employers. Consider if you should put one in place. 

 2. Know where your data is

This is always good advice, but even more important in the wake of the Schrems II judgment in July 2020. In the judgment, the Court of Justice of the European Union (CJEU) held that the EU-US Privacy Shield framework, commonly relied on by EU and UK organisations to legitimise transfers of personal data to the USA, is invalid. The CJEU also put more onerous obligations on EU and UK organisations using European Commission Standard Contractual Clauses (SCCs) as a basis for the transfer of data to non-EEA countries; those organisations will now have to satisfy themselves that the recipient country’s laws are adequate before using SCCs. 

Whilst the full impact of the judgment is yet to become clear and regulatory guidance is awaited, it does mean that trustees will need to have a really good grasp of where their data is held and where it might be sent. Trustees should review all third party data sharing arrangements (including with suppliers such as cloud providers) and ensure that they are aware of which countries their data will be stored in, transferred to and accessed from. Start speaking to suppliers now to gauge what they are doing in response to this landmark judgment and keep up-to-date with regulatory guidance so that you can act quickly once next steps become clear.

 3. Be COVID-aware

The coronavirus pandemic has led to significant changes in many organisations’ working practices, with far more people working from home and a much greater reliance on technology to communicate. Whilst there are undoubtedly positives to both of these, they also come with increased data protection risks. 
Any use of new technology that involves processing of personal data (such as deployment of video conferencing tools) should be subject to a data protection impact assessment (DPIA) to assess and document the privacy risks and mitigating solutions. 

Working from home can lead to greater security risks, including accidental disclosures of personal data to family/friends when sharing working spaces and hackers trying to take advantage of vulnerabilities in remote access software. You should make sure all software used is up-to-date, regularly patched and incorporates robust security measures for secure remote working. Make sure that clear and comprehensive home working policies are in place for trustees and remember that data protection, confidentiality and security obligations continue apply. 

 4. Remain vigilant against scams 

Cybercrime and pensions scams are on the rise and organisations operating within the industry are a prime target due to the nature of the personal data processed. Cybersecurity is an area that both The Pensions Regulator (TPR) and the Pensions Administration Standards Association (PASA) have raised concerns about; PASA intends to publish guidance on maintaining resilience against cybercrime in the coming months. 

In the meantime, to ensure that you remain as vigilant as possible against cyberattacks and scams, check that your advisers have independent accreditation for their cybersecurity measures (such as ISO27001 or similar) and conduct regular testing of those measures to identify and fix vulnerabilities. Raising awareness among trustees is also key; phishing attacks are increasingly common and often rely on human error such as clicking a suspicious link. Regular trustee training is therefore extremely important to ensure that cyber risk is front and centre of people’s minds. 

5. Don’t forget Brexit

Whilst Brexit may have been overtaken in the headlines by the pandemic, the end of the transition period, after which the UK will become a “third country” for data protection purposes, is fast approaching. After 31 December 2020, the UK will have more freedom to introduce changes or additions to data protection legislation, so it is important to remain up-to-date with any relevant developments so that you can continue to comply (although there are unlikely to be immediate, significant deviations from the GDPR framework). 

Data transfers between the UK and the EEA are unlikely to be affected in the short term, as the UK has confirmed that it will recognise all EEA countries as providing an “adequate” level of protection, which means data can continue to flow freely from the UK to EEA member states. However, trustees that receive personal data from EEA countries may be asked to implement additional measures, such as signing SCCs or putting in place additional safeguards, if the European Commission does not determine that the UK’s level of data protection is “adequate”. We recommend closely monitoring Brexit negotiations on data protection to ensure that you can continue to receive data from EEA countries if necessary. 

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.


Written by

Emma Erskine-Fox

Emma Erskine-Fox

Date published

25 August 2020