Preparation for the General Data Protection Regulation (GDPR)
Teachers Pensions conferences
17 October 2017
2squirepattonboggs.com
Agenda
Background
Key changes
Preparing for the GDPR
Data mapping
Data processing agreements
Data security
Summary
Q&As
3squirepattonboggs.com
The General Data Protection Regulation
• 25 May 2018 deadline for compliance
• The Post-Brexit picture
• Data Protection Bill
• GDPR contains significantly more stringent requirements than the
Data Protection Act 1998
• Consequences of non-compliance
ALL pension scheme trustees/managers will need to take action
to ensure that they meet those requirements by 25 May 2018
4squirepattonboggs.com
Key changes affecting pension schemes
Data processors will have direct liability for breaches of the GDPR
Individuals must be given clear information about what is done with
their data
Consent, if needed, must be clear and capable of being withdrawn
Full records of data processing
Mandatory data breach reporting
Privacy impact assessments
Data protection by design and by default
5squirepattonboggs.com
Article 30 GDPR
“Each controller…..shall maintain a record
of processing activities under its
responsibility.”
Data mapping
6squirepattonboggs.com
Data mapping
Pension scheme
trustees/managers
Payroll
Employers
Administrators
Actuary
Insurers
Scheme
secretary
Brokers
Non-EEA
processing
centres
Data
Storage
Legal
advisor
Consultants
Auditors
Financial
advisors
DC Investment
providers
7squirepattonboggs.com
• WHERE is the data?
• Identify recipients
• WHAT is the data?
• WHO does the data relate to?
• WHY is the data being processed?
• HOW is the data being kept secure?
• WILL the data be transferred outside the EEA?
• WHEN will the data be erased?
Data mapping
8squirepattonboggs.com
Data Mapping Questionnaire
9squirepattonboggs.com
Service provider and data processing
agreements
All processors e.g. employers, payroll,
administrators, consultants
Agreements to be reviewed and revised prior
to 25 May 2018
Processor or (joint) controller?
10squirepattonboggs.com
Service provider and data processing
agreements
Data security and due diligence
Article 28 GDPR
“….the controller shall use only processors
providing sufficient guarantees to implement
appropriate technical and organisational
measures in such a manner that processing will
meet the requirements of this Regulation and
ensure the protection of the rights of the data
subject.”
11squirepattonboggs.com
Service provider and data processing
agreements
Mandatory terms to be included in contracts
Transfers of personal data outside the EEA?
Liability and indemnities
12squirepattonboggs.com
Service provider and data processing
agreements
Mandatory terms to be included in contracts
The subject matter and duration of the processing
The nature and purpose of the processing
The type of personal data and categories of data subjects
The obligations and rights of the controller
The obligations of the processor to:
• Only act on the written instructions of the controller
• Ensure that people processing the data are subject to a duty of confidence
• Take appropriate measures to ensure the security of processing
• Only engage sub-processors with the prior consent of the controller and under a written
contract
• Assist the controller in responding to data subject requests to exercise their rights under the
GDPR
• Assist the controller in meeting its GDPR obligations in relation to the security of processing,
the notification of personal data breaches and data protection impact assessments
• Delete or return all personal data to the controller as requested at the end of the contract
• Submit to audits and inspections and provide the controller with any information to
demonstrate compliance with its processor obligations under the GDPR. Processors are
under an obligation to inform the controller if the instructions to the processor are in
infringement of the GDPR or other data protection law.
13squirepattonboggs.com
Data security and due diligence
Article 32 GDPR
“….the controller and the processor shall
implement appropriate technical and
organisational measures to ensure a level of
security appropriate to the risk…”
14squirepattonboggs.com
Data security – threats and consequences
Threats
Hacking
Loss of a lap-top
Non-encryption of data
Stolen/cracked passwords
Virus/malware
Human error
By governments, criminals,
political activists, disgruntled
employees, bored teenagers
Ever changing, evolving
Consequences
Business interruption
Reputational loss
Fines
Professional costs
Legal claims and complaints
15squirepattonboggs.com
Data security and due diligence
Appropriate technical and organisational measures
Integrity,
availability and
resilience of
processing
systems and
servicesRestoration of
access to data
following an
incident
Encryption and
pseudonymisation
of personal data
Integrity, availability
and resilience of
processing systems
and services
TrainingEncryption and
pseudonymisation
of personal data
Confidentiality and
limits on use
Restoration of
access to data
following an incident
Policies and
procedures
Due diligence on
providers
Risk registerRegular testing and
evaluation of
security measures
16squirepattonboggs.com
Data breach
Pensions industry attractive target for cyber attackers
Trustees/managers to adopt data breach response
plan
ICO to be notified of data breach if likely to cause risk
to individuals, without delay and, where feasible,
within 72 hours
Members to be informed of breach without delay if
breach is “high risk”
17squirepattonboggs.com
A change in mindset
• Privacy by design and default
• Not a standalone compliance exercise
• Data protection to be built into all decisions
and actions
18squirepattonboggs.com
• 25 May 2018 deadline
Don’t delay
31 2
• Is your data secure?
• Cyber breach response
plan
Cybersecurity
• Data protection to be built
into all decisions and
actions
A new mindset
Summary
19squirepattonboggs.com
Q&A