The General Data Protection Regulation (GDPR) went live this year, amid a flurry of activity to ensure pension schemes were compliant with the rules and had communicated their compliance to their members.
Compliance begins at home
Though you will have ensured you – and your third party providers – were up to speed with implementation, GDPR is not a one-off compliance project, but an ongoing process that requires regular review and potentially, revision.
The responsibilities and liabilities of controllers are made clear in articles 24 and 28 of the GDPR and schemes and compliance requirements should have been applied to any internal procedures and systems used by the scheme.
This process should be applied with equal rigour to outsourced administrators because schemes remain responsible for the security of their data and for any data protection breaches where they are found liable.
Putting the process in place
This means obtaining sufficient guarantees from your processor(s), particularly around expert knowledge, reliability and resources, in order for it to meet GDPR requirements.
These guarantees should be hard wired into the contract so they can be escalated under a code of conduct, or enforceable in law. This may use standard terms or bespoke contractual language, but it is important that it is in place.
Unless there is a legal or regulatory requirement for a processor to retain data for their own compliance reasons, when the controller chooses, personal data should be returned or deleted after the end of the provision of services. It is important for a controller to have the confidence that its processor can permanently delete personal data from its systems when it is asked to do so.
We have produced a checklist (see below) that schemes may use to double check necessary processes are in place to ensure their administrators remain GDPR compliant.
GDPR system compliance – a controller’s checklist
Though this checklist is written with third party processors in mind, it is equally applicable to internal systems if the scheme processes personal data internally.
- Can the processor provide sufficient guarantees that their technical and organisational measures to protect the rights of data subjects are appropriate?
- Have you authorised any outsourcing on the part of the processor?
- Have you put in place a contract that clearly states:
- The subject matter and duration of processing;
- The nature and purpose of the processing;
- The obligations and rights of the controller?
- Have you ensured the processor only processes personal data on your documented instructions? This will include transfers to countries located outside the European Economic Area (EEA).
- Have you ensured the processors’ staff have committed themselves to confidentiality or have been appropriately vetted?
- Have you taken all measures for the security of processing as set out in Article 32 of GDPR?
- Can the processor assist you in fulfilling a data subject request within one calendar month (covering Data Subject Access Requests (DSARs); rectification of data; erasure; restriction of processing; data portability; right to object to marketing, automated decisions and profiling, and being informed of rectifications, erasures of data and restrictions of processing)? It is, however, up to the controller recognise its responsibility to determine whether a specific right is relevant or not in relation to articles 6 and 9, the lawful reasons for processing that it is using.
- Can you, as the controller, report data protection breaches to the Information Commissioner's Office (ICO) and data subject(s) and carry out data protection impact assessments (DPIAs) while consulting with the ICO as required?
- Can you audit the processor’s processing?
- Do their guarantees adhere to codes of conduct referred to in articles 40 and 42 of GDPR?