January 31, 2023

Volume XIII, Number 31


January 31, 2023

Subscribe to Latest Legal News and Analysis

January 30, 2023

Subscribe to Latest Legal News and Analysis

EU Pensions and GDPR – 12 Month Countdown Begins! General Data Protection Regulation

The European Union General Data Protection Regulation (GDPR) comes into force on 25 May 2018.  Before that date, trustees of UK occupational pension plans will need to undertake some preparatory work, including:

  • Creating records of all personal data processing activities (or confirming delegation to plan administrators and obtaining confirmation that they will do this) and ensuring administration agreements reflect who is doing what,

  • Reviewing and amending agreements with other third parties,

  • If data is transferred outside of the EEA, putting in place international data transfer mechanisms,

  • Reviewing data security measures (see below),

  • Putting in place procedures for new individual rights,

  • Reviewing and amending privacy notices,

  • Assessing whether there is any ‘high risk’ use of personal data and

  • Formally adopting and rolling out new policies and procedures.

There are some obvious and less obvious pitfalls to consider here.  For example, if a trustee is on holiday outside of the EEA and picks up emails containing personal data whilst away, that will constitute transferring data outside of the EEA.

The recent global cyber attack has thrown into sharp focus the need for trustees to ensure the robustness of cyber security measures put in place by their data processors. As Investment & Pensions Europe report, there has also been a recent instance of a Belgian pension fund being subject to a cyber attack – Ogeo hack.

Where trustees access emails and documents containing personal data through their own home computers and/or personal mobile devices, there are some key issues about how this is managed:

  • Do all trustees use up to date malware protection?

  • Do the trustees have rules around the encryption of personal data?

  • Do the trustees have a formal policy covering cyber security risks or do they document a policy in a business continuity plan or risk register?

  • Is there a nominated trustee, who is specifically responsible for cyber security?

  • Has the trustee board had any training on cyber security in the past 12 months?

  • Do service level agreements require the trustees’ providers to adhere to specific cyber security standards?

  • Do the trustees have a cyber security incident plan in place?

  • Do the trustees have insurance in place that would cover a cyber security breach or attack?

  • Do the trustees use a segregated wireless network with firewalls?

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume VII, Number 144

About this Author

Matthew Giles Pension Attorney Squire Patton Boggs Birmingham, UK

Matthew Giles leads our team of Pensions lawyers in Birmingham. Our wider Pensions team was named Human Resources (Specialism) Firm of the Year 2018 at The Legal 500 UK Awards.

He is a former finalist at the British Legal Awards. He is regarded as a "Leading Individual" in Pensions by The Legal 500 UKChambers UK reports that he has a “practical, no-nonsense approach.”

Matthew specialises in advising on defined benefit pension plans, focussing on a range of deficit management strategies. He helps trustees and sponsors on all aspects of pension plan...

44 121-222-3296