Cyber security and GDPR

Pension trustees are data controllers and therefore responsible for protecting the schemes personal data. Cyber security prevention should be embedded into the internal control processes. The Regulator has suggested that this should be a key agenda item in trustee meetings.

In addition, the regulator has issued guidance on this matter which states:

“Pension schemes hold significant amounts of valuable data, and large volumes are often transferred to and from the employer(s), as well as advisers such as investment managers or the scheme actuary. Many schemes also offer members online access to their records, or use social media and other electronic means to communicate with members. As well as ensuring members’ records are complete and accurate, you need to put controls in place to ensure the security of member data. This will help you guard against fraud and meet your obligations under data protection law.

You should work with your administrators to ensure the right controls are in place, including controls to protect against cyber security threats. This includes ensuring that anyone with access to scheme and member records is suitably vetted and trained, and requiring administrators to have measures in place to avoid any security breaches (including cyber attacks) and data losses, and a plan for dealing with these and keeping you informed if they do occur.”

As a result cyber security is now firmly on the risk register, together with the new General Data Protection Regulation (GDPR) rules that come into effect from May 2018. 

The new rules replace the current Data Protection Act, and organisations can be fined for breach of the rules. The level of the fine depends on the nature of the breach. Breaches must be reported within 72 hours, and fines can be issued for failure to notify as well as for the breach itself.

Whether the fines specifically referred to in the GDPR could apply to pension schemes is unclear. The fine structure is calculated on worldwide turnover, and it is yet to be seen if this can be converted to net assets of the scheme. 

It should also be noted that under the new rules the definition of ‘personal data’ is much wider than under the current Data Protection Act. It will include manual as well as digitally held data and includes data on databases, e-mail, file shares as well as mobile phones. It is also notable that the new rules apply to data controllers and data processors. What this means in practice is that ‘clouds’ will not be exempt from GDPR enforcement.

The key points for pension schemes to consider are:

  • Ensure that GDPR and cyber security feature on the risk register together with the controls in place to mitigate these risks;
  • Identify the categories of personal data held and determine the circumstances in which a breach would be notifiable;
  • Review the cyber security measures adopted by individual trustees (or directors of a corporate trustee);
  • Establish a data breach policy;
  • Ensure that contracts with service providers are sufficient to cover the new GDPR rules; they should include clarification on the notification process to trustees as soon as they are aware of a breach.
« Back to newsletter articles