UK Pensions Briefing: The General Data Protection Regulation: Five Years On

Articles 13 and 14 of the GDPR require trustees to provide comprehensive information to members about the processing of their personal data, including: the categories of personal data processed; the purposes of processing; the lawful basis for each purpose of processing; categories of recipients of personal data and information regarding retention, individuals' rights and international transfers of personal data.

This is usually presented by way of a privacy notice.

Trustees need to be aware of recent enforcement decisions regarding privacy notices e.g. the Irish Data Protection Commissioner's findings in respect of WhatsApp's privacy notice¹ and the Information Commissioner Office's monetary penalty notice against TikTok².

In summary, the regulators expect privacy notices to provide information in a lot more detail and granularity. For example:

• There needs to be a link between the categories of personal data processed and the processing activity performed on them. Each processing activity should be ascribed a lawful basis and trustees should avoid ascribing multiple lawful bases per processing activity. In practice, a tabular format may be more suitable in presenting this information in this more granular manner.
• If legitimate interests are being used as a lawful basis, the specific legitimate interests should be set out. If legal obligations are being used as the lawful basis, the specific law/regulation should be cited.
• Categories of recipients should be as specific as possible and additional information should be provided about retention periods, including the criteria to determine these.
• Further detail about international transfers should be provided, including the specific transfer mechanism relied on. There is also an expectation that countries to which personal data is transferred are listed.

Trustees should therefore consider whether their privacy notices need to be updated to take into account these requirements.

In addition to the above, trustees should also consider whether the purposes of processing set out in these notices remain accurate and comprehensive. We are, for example, seeing a number of trustees interested in undertaking (or instructing service providers to undertake) more detailed analysis on personal data, including by using AI technologies or sharing with third parties to facilitate bank transfers or insurance solutions.

These use cases may not have been contemplated in 2018 and may need to be added to privacy notices. Similarly, they will need to be added to records of processing activities (ROPAs), which all data controllers (including trustees) are required to maintain and update under Article 30 of the GDPR.

Finally, privacy notices need to be "accessible". This is particularly important in the pensions sector as a number of members may be vulnerable or may not possess the appropriate technical expertise or equipment to access online notices. Consider therefore the provision of updated notices as part of hard-copy newsletters that are provided to members.

Trustees share member personal data with a number of third parties, including administrators, actuaries, consultants, advisors and service providers.

A number of these third parties, including administrators, act as "processors", and process member personal data on behalf of the trustees and in accordance with these instructions.

Under Article 28 of the GDPR, data sharing arrangements between trustees and their processors must be governed by a contract that include certain mandatory processor provisions. These include requirements on the processor to: maintain appropriate security; assist with responding to data subjects' rights; inform the trustee of a personal data breach; only engage sub-processors with the trustees' consent; and to allow for and contribute to audits.

Other third parties may act as controllers. Whilst the GDPR does not require mandatory data sharing provisions to apply between two controllers, guidance from the ICO³ is clear that it nonetheless expects suitable data sharing arrangements to be in place.

With respect to international transfers of personal data, trustees should remember that transfers (including onward transfers e.g., by administrators) of personal data from the UK to a country not considered as providing adequate safeguards⁴ is not permitted unless the transfer is governed by a data transfer mechanism.

The most commonly used mechanism is the EU-commission approved standard contractual clauses (SCCs). On June 4, 2021, the EU-commission issued an updated and modernised version of the SCCs⁵, replacing the previous SCCs. On March 21, 2022, the ICO's UK addendum to the SCCs, and the ICO's international data transfer agreement and came into force⁶.

Consider undertaking an audit or review of the security measures and controls applied to member personal data to determine whether current measures remain up-to-date in light of new technology and new potential threats, particularly given the increase in cyber-attacks such as sophisticated phishing and ransomware. Trustees should consider engaging information security advisors or consultants to assist with this.

Make sure processes are in place to detect and respond to personal data breaches quickly, especially given the tight timelines under the GDPR to notify the ICO if reporting thresholds are met (i.e., within seventy-two hours of becoming aware). As controllers, the notification responsibilities fall on the trustees so trustees will need to have procedures in place to obtain information and assistance from administrators and oversee their response.

To ensure that key stakeholders involved are aware of their responsibilities and required actions, trustees should consider reviewing and updating their breach response processes and undertaking "trial runs" of personal data breach scenarios with their administrators.

Data subjects have numerous rights under the GDPR, including the right to access personal data processed about them (data subject access request or DSAR), the right to have personal data erased, rectified, and to have their data provided to another controller in a structured, commonly used and machine readable format. These are subject to certain exemptions.

Responding to such requests, particularly DSARs, can be very time-consuming and difficult if systems are not set up in a manner where it is easy to retrieve and isolate personal data concerning a specific individual.

In practice, a number of these rights are responded to by administrators on behalf of trustees. As controllers however, the compliance responsibility falls on the trustees.