Global menu

Our global pages


GDPR for Trustees – what do you need to know?

  • Ireland
  • General


What is GDPR?

The General Data Protection Regulation (the “GDPR”) will have direct effect in Ireland from 25 May 2018, and will replace current national data protection legislation.

It has become something of a bete noire among Irish data controllers, including pension trustees.  However, it builds on, rather than fundamentally replaces, existing data protection legislation, and its impact should be viewed in that context.

Nevertheless, the GDPR aims to effect a change in the culture and attitudes of data controllers towards data protection, and it broadens the rights of data subjects (i.e. pension scheme members) across the EU.

Outline of Key Changes

What impact will the GDPR have in practice? We have identified 10 key issues which Irish trustees should be focusing on prior to the introduction of the GDPR. 

1. Lawful Processing/Consent

It is important for the trustees of a pension scheme to remind themselves of the basis on which they are currently holding and processing the personal data of their members. An individual’s personal data can only be processed based on one or more of the following:

  • consent;
  • for the purposes of legitimate interests being pursued by the data controller (i.e. the trustees);
  • if it is necessary for the performance of a contract;
  • if it is necessary to comply with a legal obligation and/or if it is in the public interest; or
  • to protect the vital interests of an individual.

In most cases, member data is being held by trustees on the basis of a combination of the “non-consent” factors above. However, under the GDPR, member consent must be obtained in a much more specific fashion. Therefore, trustees should identify what personal data, particularly sensitive personal data (such as data relating to health or sexual orientation), they are holding on a “consent” basis.

2. Privacy Notices

Under the GDPR, pension trustees are obliged to process personal data fairly, lawfully and in a transparent manner.  As part of this obligation, the GDPR requires that certain minimum information be given to individuals. This information may be presented in a privacy notice or privacy policy which is given to members at the time of joining the pension scheme. The GDPR increases the amount of information which must be given to data subjects beyond the current requirements.

3. Record Keeping and Accountability

A welcome change introduced by the GDPR is that pension trustees will no longer have to register as data controllers with the Office of the Data Protection Commissioner (“ODPC”). However, trustees will be subject to stringent record keeping requirements in relation to their processing activities and must make their records available to the ODPC on request.  In addition, the trustees (and any data processors appointed by the trustees) are required to be able to demonstrate that they are processing personal data in accordance with the requirements set out in the GDPR. Therefore, pension trustees will be required (if requested) to show compliance with the GDPR.

4. Data Controller/Data Processor Relationship

The GDPR introduces some fundamental changes to the legal relations between pension trustees (as data controllers) and many of their service providers (as data processors). The GDPR provides that data controllers shall only use processors that can provide a guarantee of compliance with the GDPR and this relationship must be governed by a data processing agreement.

5. Data Minimisation

Under the GDPR, pension trustees will be required to only process personal data where this is necessary. This is an enhanced obligation and pension trustees should review what data they collect/process and why it is necessary.

6. Data Subject Rights

The GDPR has enhanced the rights of data subjects (i.e. scheme members). It is important for pension trustees to be aware that data subject access rights have been enhanced, as follows:

  • Data subjects have a right to be provided with access to their personal data within one month;
  • Data subjects must be told the period for which his or her data will be retained or, if this is not possible, the criteria for deciding the retention period;
  • The information must be provided free of charge (i.e. you cannot charge the current fee of €6.35);
  • Data subjects must be told about their rights to have their data corrected, deleted or to restrict the processing of their data;
  • A data subject has the right to require a data controller to delete his or her personal data in various circumstances;
  • Data subjects also have a right to have incorrect personal data corrected without undue delay; and
  • Data subjects have a ‘data portability’ right which is a right to access their data in a machine-readable format and, where technically feasible, to have the data transmitted directly from one data controller to another.

7. Data Security and Breach Reporting

The GDPR increases the obligations on data controllers where there is a personal data breach, including the following:

  • the data controller must notify the ODPC of the breach, if possible within 72 hours of becoming aware of it, unless the breach is unlikely to cause risk to individuals' rights and freedoms. Reasons for the delay must be given if the breach is not notified within 72 hours;
  • specified information must be included with the notification to the ODPC; and
  • the data controller must also notify the individual of the breach, where the breach would be likely to cause a high risk to the individual's rights and freedoms.

8. Data Protection Impact Assessments (“DPIA”)

Data controllers will have to carry out a DPIA (also known as a privacy impact assessment) before carrying out processing which involves a high risk for members (or beneficiaries). In particular, a DPIA will be required where:

  • there will be a systematic and extensive evaluation of individuals, on which decisions will be based which will have a significant effect on the individuals;
  • there will be large scale processing of special categories of personal data; or
  • systematic monitoring of publically accessible information.

9. Data Protection Officers (“DPO”)

The GDPR introduces a requirement for data controllers and data processors to appoint a DPO in circumstances where:

  • the processing is carried out by a public body;
  • the data controller or data processor monitors individuals systematically and on a large scale as a core activity; or
  • the data controller or data processor's core activities consist of large scale processing of special categories of personal data.

It is not clear yet whether pension trustees will generally be required to appoint a DPO, however, we are continuing to monitor the position in relation to this requirement. 

10. Enforcement

The consequences of non-compliance with data protection have been significantly expanded under the GDPR. The GDPR allows fines of up €20,000,000 or 4% of worldwide annual turnover, whichever is higher. It is not yet clear what ‘worldwide turnover’ would be taken to mean in relation to a pension scheme. However, a fine of up to €20,000,000 is clearly in itself a significant penalty.

How can trustees prepare for GDPR?

The impending rules can be seen as a good opportunity for trustees to review the personal data which they hold, either directly or via their service providers, and whether the level of this data and the arrangements under which it is held meet the requirements set out under the GDPR. 

Trustees will need to have their own road map or plan of action for GDPR compliance, however, it may be possible to leverage from the GDPR work being done by scheme administrators and other service providers (if applicable).

We would recommend that you start (with our help) identifying who’s data you hold, what data you hold, why you hold the data, how long you should retain the data for and where you are holding/storing this data.

Please click on the link below to view the Eversheds Sutherland GDPR video, which seeks to address the top ten most common issues raised in relation to the GDPR:

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

< Go back