The pensions industry has one year to prepare for new regulations coming its way. Europe’s new data protection legal framework is set out in the General Data Protection Regulation (GDPR) which will come into force in all EU Member States on 25 May 2018, including the UK. While the changes are not radically different to the current legal requirements, there are important developments that the pensions industry needs to be aware of ahead of May 2018.

Key points

1. A new EU data protection regime comes into force in May 2018

The General Data Protection Regulation (GDPR) will come into force in all EU Member States on 25 May 2018.

2. The GDPR will apply to the UK and is likely to apply after the UK leaves the EU

The UK will still be a Member State of the EU on 25 May 2018. The GDPR comes into effect for all Member States, and so will come into force in the UK. The UK will retain the GDPR following Brexit.

3. The GDPR is evolutionary rather than revolutionary

The GDPR does not mark a radical departure from the current data protection regime (i.e. in the UK under the Data Protection Act 1998 (DPA)). There are, however, certain key changes that will focus attention in the pensions industry.

4. There are four key developments that will affect the pensions industry the most

The GDPR contains four key developments that trustees, employers and the pensions industry will need to grapple with. These are

• more detailed privacy notices, whilst still being concise and easily understood;
• overlapping controller and processor obligations, especially around security;
• mandatory breach notification to regulators and members; and
• more severe sanctions for non-compliance.

Full Content: Lexology

Remember to subscribe to our free weekly newsletter for more news or subscribe to our service to get unlimited access.