Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Data protection – new law means new issues for trustees

08 Jun 2016 United Kingdom 8 min read

The European Parliament has adopted a new General Data Protection Regulation (GDPR), which will apply to the UK from May 2018. The GDPR will have direct effect which means that it will automatically replace the Data Protection 1998 (DPA) from May 2018.

The scale of changes made by GDPR mean that pension scheme trustees, employers, administrators and advisers will need to consider the implications of the new requirements well before May 2018 and identify the steps they will need to take to ensure compliance.

Why is data protection relevant to trustees and what should they be doing now?
Both trustees and employers hold personal data in relation to scheme members and employees and are “data controllers” within the meaning of the current data protection legislation. As a consequence they have numerous compliance obligations. Although most processing of pension scheme member data is carried out by the scheme administrator, it is the trustees (as data controllers) who are responsible for ensuring all data processing on their behalf, including by the scheme administrator, complies with the data protection legislation.

Trustees currently have to comply with a number of principles in relation to the way they handle member data. These principles include ensuring that members are aware of how and why information relating to them is being processed; personal information is accurate and up to date; information is secure (even when it is held by third parties who are processing the information on behalf of the trustees); and that personal information is not transferred outside the European Economic Area to any country that does not provide adequate protection for individuals’ rights in relation to processing personal data.

In addition, trustees must always have a lawful basis for processing data, which can cause problems, particularly for sensitive data such as health information or data which indicates a member’s sexual preferences.

What’s new?
The basic principles and permitted reasons for processing data are not changing significantly. However, there are a number of new requirements and some significant changes to the mechanics for ensuring compliance and the penalties for failure to do so. The key changes that trustees need to be aware of are:

  • Increased transparency requirements: Although members currently need to be provided with details about what their personal information is being used for, they will need to be given significantly more information under the new regime. For example, they will need to be told how long data will be held for, that they have a right of access to it and to object to it being processed and what the nature of, and legal basis for, the processing is.
  • Data protection compliance: Data controllers will need to adopt internal policies and implement measures to ensure that they can comply with the data protection requirements.
  • Member rights: The time period for compliance with subject access requests will be shortened from 40 days to 1 month. There is also an extended “right to be forgotten”.
  • Changes to consent requirements: Where trustees are relying on consent from members to process their data (for example in relation to sensitive personal information about ill-health), consent requirements are more detailed than under the current law. For example, the consent must be distinguishable from other matters within any declaration and it must be intelligible, easily accessible and in clear and plain language.
  • New obligations on processors: For the first time, data processors (such as administrators) will be subject to statutory obligations under the GDPR. New obligations imposed directly on data processors include requirements to: document data processing activities (where they have more than 250 employees); ensure processing is secure; and co-operate with the Information Commissioner’s Office (ICO). There are also additional requirements in relation to the content of contracts between data controllers and data processors.
  • Notifications of breaches: A data processor (such as a scheme administrator) must notify trustees as soon as possible where there is a breach of security in relation to data. The trustees must then notify the ICO as soon as possible and in any event within 72 hours of becoming aware of it. There is an exception where a breach is “unlikely to result in a risk to the rights and freedoms” of individuals. A report to affected members may also be required in certain circumstances. Trustees will need to keep a record of any breaches which sets out the facts, the effect of the breach and the remedial action taken.
  • Increased fines: Non-compliance with the new requirements can attract fines of up to €20,000,000 (or 4% of global turnover, if higher) for the most serious of breaches and fines will be able to be levied directly on data processors.

What should trustees be doing?
 The changes mean that trustees, employers, administrators and advisers will have to make some alterations to their data protection processes and contractual documentation in advance of May 2018.

It will take time for the industry to work out how best to comply with the GDPR. Over the coming months, administrators and advisers will be considering what steps to take to meet the new requirements and the ICO will be publishing new UK guidance. We recommend trustees consider putting data protection on meeting agendas in the first half of 2017. This should allow sufficient time to put new procedures in place in time for 2018.

The key areas that trustees and their administrators and advisers will need to consider in the run up to 2018 are set out below.

Trustee procedures – demonstrating compliance
 Under the new regime, data controllers such as trustees will no longer need to register their activities with the ICO. Instead, they will need to maintain records of the processing activities that they are responsible for. Trustees will need to “implement appropriate technical and organisational measures” to ensure that compliance with the data protection principles forms an integral part of data processing. In addition, the GDPR says that where processing is carried out by a third party, the data controller should ensure that the third party has appropriate measures in place to ensure compliance with the data protection requirements.

In practice, trustees could deal with a number of these requirements by putting a data protection policy in place. The policy would set out how trustees have ensured and will continue to ensure that member information is processed in accordance with the requirements of the data protection legislation. It would also address issues such as how administrators will ensure that data is secure, including how the administrator will deal with subject access requests, who they might pass data on to, how they will ensure that that data is kept secure and how they will ensure that data processing complies with existing privacy notices.

Trustees will also need to report certain breaches to the ICO and their policy should include a procedure for doing so where required.

The ICO also suggests that data controllers should carry out an audit of all personal data that they hold in advance of 2018. The Pensions Regulator would no doubt support that suggestion, given its continued focus on data quality.

Communicating with members
 As under the current law, trustees will need to ensure that members are provided with information about why data relating to them is being processed and the identity of the data controller. However, under the new regime members will need to be given additional information, including who the personal data will be provided to, whether the trustees intend to transfer personal data outside of the European Economic Area, and the safeguards in place to protect the data.

Information previously provided to members and other data subjects should be reviewed and plans put in place to issue updated information where required. Trustees of DB schemes may want to do this at the same time as issuing their 2017 summary funding statement.

Relationships with third parties
 As part of ensuring compliance with the new regime, trustees will need to discuss the new requirements with the scheme administrator and advisers to ensure they comply with relevant security and data transfer obligations and review the data protection provisions in existing contracts with those service providers who process data on their behalf.

Trustees will need to ensure that the contracts contain the provisions envisaged by the GDPR and any other provisions the trustees feel are necessary to provide for both compliance with member rights (including rights to access their data) and to ensure that the data is held securely

More insights
Employment, Labour & Pensions Pensions

Explore more

Expert Guide International

CMS Expert Guide to Pensions in United Kingdom

9 min read
Event United Kingdom

IP Insights webinar series 2026

28 Apr 2026
Publication United Kingdom

Employment Rights Act 2025

17 Feb 2026 2 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.