Radisson Blu Hotel, Manchester Airport

22 September 2017

Association of Consulting Actuaries

2017 Northern Conference

Kate Atkinson

Senior Associate

Joanna de Fonseka

Associate

Agenda

Why is data protection in the news?

Data in a pensions context

TPR view and current scheme practices

DPA principles for actuaries

IFoA 2014 Guidance on Data Controller Responsibilities

General Data Protection Regulation

Game Changers

Roadmap for Pension Schemes and Actuaries

© 2017 Baker & McKenzie LLPDocID 9451066

Data Protection

3

In the Press

Tesco would face £1.9bn fine

under the GDPR for a recent data

breach after 20,000 customers

had money stolen from their

Tesco Bank accounts

(November 2016)

Telecoms Company Talk Talk

issued with record £400,000 fine

by the ICO for security failings

that allowed a cyber hacker to

access personal data of 160,000

Talk Talk customers

(October 2016)

Japan's pension system hacked,

1.25 million cases of personal

data leaked

(2015)

ICO has found Verity Trustees Ltd to be in breach of the DPA after the Trustees reported that a

laptop containing the personal data of 110,000 scheme members was stolen from its software

provider's offices (2009)

Pensions context

© 2017 Baker & McKenzie LLPDocID 9451066

Data within the pension schemes

5

Name; D.O.B; NIC number; address;

email; dependants; bank details;

health (e.g. early retirement);

employment ; bank accounts…

Often sensitive/ confidential IT security; "click to accept" privacy

notices?

Processing of pension benefit

increase information; greater number

of parties involved than for individual

benefit requests

Pensioner and dependant data Often data for the entire membership Live by 2019 (prototype by March

2017); platform for savers to see all

their pension pots in one place

© 2017 Baker & McKenzie LLPDocID 9451066

Data Protection

6

What TPR has to say

Trustees should undoubtedly be capturing cyber security as a key risk on their risk registers

It is trustees who are the data controllers under the data protection act, so it is the trustees who must make sure they have

all the proper protocols and policies in place, and that any third parties they use also have the appropriate controls in

place…This is a really important point about holding your administrators to account

"Research shows that third party scheme administrators do less testing of internal controls compared to in-house or

combined arrangements while reporting comparatively higher incidences of fraud. Such schemes may therefore be at

greater risk"

Pensions schemes are likely to be attractive targets to cyber criminals, because they hold a lot of personal employment and

financial data

TPR's Corporate Plan 2016-2019: focus on third party providers?

Speaking at the annual Society of Pension Professionals' conference in September 2016, Lesley Titcomb urged

trust-based schemes to start thinking about data protection as a matter of priority:

© 2017 Baker & McKenzie LLPDocID 9451066

Data Protection

7

TPR publications

Pension schemes are sitting

there with an awful lot of

personal data, an awful lot of

bank details and actually it is a

big issue. We're to make sure

we deal with it before a scandal

hits

Lesley Titcomb

Compliance & Enforcement Strategy

We will publish…our enforcement successes and publicly name those

employers who do not comply with… the Data Protection Act 1998

Inducement offers

Trustees must be mindful of the data protection issues raised by

inducement offers. Trustees should also bear in mind the data

protection aspects before they agree to release members' personal

information to an employer for use in an inducement exercise

Record Keeping

Pension schemes hold significant amounts of valuable data, and large volumes are often transferred to and from the

employer(s), as well as advisers such as investment managers or the scheme actuary. Many schemes also offer members

online access to their records or use social media and other electronic means to communicate with members. As well as

ensuring members' records are complete and accurate, you need to put controls in place to ensure the security of member

data. This will help you guard against fraud and meet your obligations under data protection law

Data protection for actuaries: the current position

© 2017 Baker & McKenzie LLPDocID 9451066

Are actuaries data controllers or processors?

9

IFoA Guidance: if

Scheme Actuary is a Specialist Service Provider;

he/she is appointed in a personal capacity (Section 47); and

is responsible for handling personal data

Data Controller's obligations:

Register with ICO on an annual basis

Comply with the 8 DP principles

Key DPA 1998 Principles

"that individual is likely to be acting as a data controller distinct from the

firm"

© 2017 Baker & McKenzie LLPDocID 9451066

8 Key Principles of Data Protection

10

Data protection obligations on Actuaries

4 Data to be accurate, and kept up to date

3Data to be adequate, relevant and not

excessive

2Processing only for specified and lawful

purposes

1 Fair and lawful processing

8No transfer outside European Economic

Area (EEA) without adequate protection

7Security measures (unauthorised

processing, accidental loss or damage)

6Data to be processed in accordance with

data subject's rights

5Data to be retained no longer than

necessary

© 2017 Baker & McKenzie LLPDocID 9451066

DPA for Actuaries

11

Key arrangements

Trustees Individual Actuaries

Actuarial Firm

PA 1995

Engagement

Letter

Employment /

Partnership Agreements

© 2017 Baker & McKenzie LLPDocID 9451066

DPA for Actuaries:

12

Allocation of roles/risk

Principle Suggested/possible responsibilities

Client Scheme Actions Firm

1 Fair and lawful processing

2 Processed for limited purposes

3 Adequate, relevant and not

excessive

4 Accurate and up to date

5 Not kept for longer than is

necessary

6 Processed in line with data

subjects rights

7 Secure

8 Not transferred to extra EEA

countries without adequate

protection

To be discussed and

agreed

To be discussed and

agreed

To be discussed and

agreed

© 2017 Baker & McKenzie LLPDocID 9451066

DPA for Actuaries

13

Comfort in IFoA Guidance

"The ICO has provided a level of reassurance in terms of its enforcement policy relating to a processing activity that contravenes the DPA. Where the Scheme Actuary and his/her client and/or firm are joint data controllers, and there is a documented audit trail in place between the Scheme Actuary and his/her client and/or firm (as applicable) setting out which party is responsible for which elements of compliance with the DPA, the ICO would be likely to take into account how responsibility for compliance had been allocated. Therefore, if the contravention related to a processing activity allocated to the firm and/or the client, the ICO might not typically look to an individual Scheme Actuary in any enforcement action, except in the circumstances described in paragraph 6.2.7."

6.2.7 " … not absolve the Scheme Actuary of his/her statutory obligations … he/she would still be deemed to be non-compliant … if, on the facts, the data protection compliance issue arose in relation to the Scheme Actuary's area of responsibility"

Scheme actuaries may be Joint Data Controllers with the Trustee and/or the Actuarial Firm.

Key issue for Actuaries:

Allocate – and contractually document – responsibility for (and liability protection in respect of) each data protection obligation as between:

i. Trustees and Scheme Actuary (engagement letters); and

ii. Scheme Actuary and their Firm (employment/partnership agreement).

The GDPR

© 2017 Baker & McKenzie LLPDocID 9451066

GDPR

15

13 Game Changers

© 2017 Baker & McKenzie LLPDocID 9451066

Game Changers Changes created by GDPR

Data Protection Officer

DPO required for public authorities or private companies by the nature & scope of

their processing activities (eg, large-scale, systematic monitoring, large-scale

processing of sensitive data)

Data Breach ReportingReport within 72hrs where breach is likely to result in a high risk for rights and

freedoms of data subjects

ConsentNo longer able to rely on implied consent. New rules for consent re children under 16

online

Data MappingImportance of keeping records of processing activities to produce on request to

Supervisory Authorities

Cross-Border Data Transfers BCRs and Model Clauses ok for now. Seals & certifications recommended

Data Processor Obligations

Direct compliance obligations on processors (e.g. includes implementing technical

and organisational measures, notifying the controller without undue delay of

breaches and appointing a DPO (if required))

Rights of Data Subjects Rights extended (eg, data portability, right of deletion, right to be forgotten, limitations

on profiling)

EU GDPR

16

13 Key Game Changers

1

2

3

4

5

6

7

© 2017 Baker & McKenzie LLPDocID 9451066

EU GDPR

17

13 Key Game Changers

Game Changers Changes created by GDPR

One Stop Shop & Consistency

No longer responsible to multiple data protection authorities. The "One Stop Shop"

means companies will deal with one lead Supervisory Authority in their main country

of establishment or where centre of administration is based. Mutual co-operation

mechanism

Enforcement and SanctionsStronger penalties for non-compliance; maximum fines up to EUR 20,000,000 or 4%

of annual worldwide turnover (whichever is higher) for most serious infringements

Data Privacy Impact

Assessments

Data protection impact assessment should be performed to identify/address privacy

risks before implementing new systems and technologies

Privacy by Design

Technical and organisational measures must be applied (such as data minimisation /

pseudonymisation) to ensure data appropriately protected, depending on risk

Profiling Restrictions

Individuals have certain rights to object to profiling, to be told about it in privacy

notices, and to not be subject to automated decisions based solely on it (if such

profiling “significantly affects the individual”)

Accountability Must be able to demonstrate compliance with data protection principles

8

9

10

11

12

13

Implications for Trustees

© 2017 Baker & McKenzie LLPDocID 9451066

What does this mean in the pensions context?

19

Pension schemes have large amounts of member data – some of which is sensitive

Handling this data has become increasingly complex

The increased complexity means that complying with the GDPR will require careful planning

Ensuring data is properly handled prevents (i) reputational damage (ii) potential GDPR penalties; and

(iii) members seeking to recover damages for injury or distress

Trustees also should ensure security of member data due to their overriding fiduciary obligations

© 2017 Baker & McKenzie LLPDocID 9451066

What practical steps can be taken?

20

A comprehensive compliance plan will be required

understand what data is currently held, what data may be required in the future and to whom data

is currently provided or may need to be provided in the future

where are consent notices currently given? What approach is needed if we move to a positive

consent environment?

consider whether compliance audits are in place and adequate - if not, what would these look like

and how would they be managed?

what provisions are in existing contracts and arrangements with service providers – do these

need to be updated?

First steps:

Implications for Actuaries

© 2017 Baker & McKenzie LLPDocID 9451066

Implications for Actuaries

22

The GDPR will impose new or enhanced obligations upon actuaries.

Key risk areas that need to be addressed or reviewed by actuaries in light of the GDPR concern:

Consent of scheme members

Rights of scheme members

Privacy notices to scheme members

Data protection obligations of data processors such as vendors

Transfers of personal data outside the European Economic Area

Notification of data breaches to the ICO and to data subjects in certain circumstances

Data protection by design and default

Accountability

Contractual relationship with trustee and actuarial firm and responsibilities vis-à-vis data subjects

For further details, please see page 2 of the Handout.

Baker & McKenzie International is a global law firm with member law firms around the world. In accordance with the

common terminology used in professional service organizations, reference to a "partner" means a person who is a

partner or equivalent in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This

may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar

outcome.

© 2017 Baker & McKenzie LLP

www.bakermckenzie.com