The General Data Protection Regulation ("GDPR") is due to be implemented on 25 May 2018 and will replace the Data Protection Directive 1995 (the "Directive") which was transposed into Irish law by the Data Protection Acts 1988 and 2003 (the "Acts"). GDPR and the Data Protection Bill 2017 (the "Bill") (when enacted) will largely supersede the Acts.
GDPR will be legally binding in Ireland from its enforcement date (25 May 2018) and will not require implementing national legislation to be effective. The Bill (when enacted) will give further effect to GDPR and will clarify the provisions that give Member States a limited margin of flexibility. GDPR (like the Directive and the Acts) will govern the processing (i.e. handling, accessing, transferring etc.) of personal data.
Personal data includes member data held by pension scheme trustees. Processing of "Special Categories of Personal Data" ("SCPD") requires increased protection.
Trustees may process SCPD which requires separate consideration.
Trustees will have a number of actions to take in advance of the commencement of GDPR, a summary of which is set out below. If you would like further information in relation to these or if you would like trustee training on this topic, please contact your usual Arthur Cox pension team contact.
Common definitions under the current Acts and GDPR are set out at the end of this update.
WHAT DO TRUSTEES NEED TO DO?
Adopt a data breach response procedure to handle breaches within the new 72 hour timeframe Maintain an internal record of data processing activities in order to demonstrate "accountability" Review their data protection policy in light of GDPR requirements Update privacy notice/data protection statement to ensure data subjects are provided with transparency notice detailing how their personal data is processed Review procedures in light of data subjects' additional rights (e.g. the right to be forgotten and the right to data portability) Review contracts with scheme administrators and other data processors Notify members that the legal basis for processing their data is that it is lawful and necessary for the operation of the scheme Revisit scheme indemnity provisions to determine who would have to foot the bill for any breach of GDPR by the scheme DON'T
Register with the DPA: GDPR will abolish the requirement to register with the DPA CONTINUING TRUSTEE OBLIGATIONS UNDER GDPR
While trustees may outsource activities involving the...