Quarterly Pensions Update – September 2017

(On the) GrapeVine: GDPR and its impact on Scheme Trustees

The General Data Protection Regulations (“GDPR”) is EU law which comes into effect on 25 May 2018 and is expected to continue in UK law notwithstanding Brexit under a Data Protection Bill which will be published over the next few months.

The GDPR will significantly increase the obligations of those who hold data relating to other people including trustees of pension schemes (as “data controllers”) and providers of administration services who will become jointly and severally liable for breaches and subject to higher fines.

The way in which scheme administration is undertake will change as trustees will no longer be able to rely on implied consent as a basis to hold personal data. Trustees will need to consider holding the personal data for a different lawful purpose relying on a ‘legitimate interests’ or performance of a ‘legal obligation’. This will not be available for sensitive personal data i.e. details of health or sexual orientation which currently requires the explicit consent of the member.

What should Trustees do?

Undertake an audit of your data (termed ‘data mapping’) to establish how personal data is held i.e. paper form, electronic form, in the ‘cloud’ and where (within or outside the EEA) and prepare a record of your personal data processing activities.

Prepare a GDPR compliance policy and state within the policy what responsibilities the trustees and their advisors hold.

Review and update existing contracts/agreements with third parties to ensure provisions compliance with GDPR (with more prescriptive terms to apply regarding security of data, its storage and use of sub-processors).

Prepare a data breach/retention policy.

Undertake a review of your full data security measures.

Ensure that procedures are in place to deal with individual rights and review and amend existing privacy notices so that they contain all the relevant information.

Prior to the GDPR coming into effect, prepare a project plan for dealing with the above and ensure that these are reviewed periodically.

What should Trustees not do?

Trustees should not ignore their duties under the GDPR and should seek legal advice to understand what their new GDPR obligations are. Trustees should also be wary of some of the following common myths surrounding trustees and their pension schemes.

Only trustees are impacted by GDPR

This is incorrect. GDPR impacts on all individuals who are responsible for processing data which includes both trustees and their advisors as data processors.

Members have a right to be forgotten

This is incorrect. Individuals only have a right to be forgotten in exceptional circumstances.

As we act as scheme trustees and the scheme’s assets provide benefits for our members we will not be subject to the maximum fine should we breach GDPR

This is incorrect. The Information Commissioner has previously held trustees personally liable which has resulted in their personal assets being at risk.

HMRC’S additional requirements for trustees

The new money laundering regulations known as the Money Laundering Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 came into force on 26 June 2017.

These new regulations introduce additional requirements for trustees of a “relevant trust”.

What is a Relevant Trust?

A relevant trust is a trust which has:

1. at least one UK resident trustee and where the “settler” was domiciled in the UK either at the time the trust was established or when the settler added funds to the trust; or
2. all trustees are resident in the UK.

What are the additional requirements for Trustees?

There are three new duties; the duty to maintain records, disclose information to HMRC and disclose beneficial ownership.

Duty to maintain records

Trustees must ensure that they hold and maintain up-to-date written records of all beneficial owners of the trust i.e. beneficiary’s name, date of birth, National Insurance number, and role in relation to the trust. The trustees must also include within their records, the full details of the advisers to the trust (i.e. legal advisers, financial or tax advisers) together with the trustees’ contact details.

Duty to disclose information to HMRC

A somewhat onerous duty is the requirement for trustees to provide HMRC with information about any ‘taxable relevant trust’ and each of its beneficiaries.

A taxable relevant trust is a relevant trust that is liable in any given tax year for certain taxes on its assets or income.

The above information must be provided to HMRC prior to 31 January 2018 or any subsequent 31 January after the tax year when the trustees first become liable to pay any of these taxes.

The trustees must also ensure that in any subsequent 31 January after any tax year when they became liable to pay any taxes they must update the information previously provided to HMRC or confirm that there has been no change to the information.

Duty to disclose beneficial ownership

In circumstances where a trustee enters into a ‘relevant transaction’ or where a trustee creates a business relationship with a ‘relevant person’ on behalf of the trust, the relevant person must be informed by the trustee that he is acting in his capacity as a trustee and must provide details of the beneficial owners of the trust. In cases where there is a change with the beneficial owners, then the trustee must inform the relevant person of the same within 14 days of becoming aware of the change.

What happens if the Trustees do not comply?

A failure to comply with the new money laundering regulations can subject the trustees to civil penalties or criminal liability (which could be an uncapped fine, two years’ imprisonment or both). However, provided that the trustees have undertaken reasonable steps and due diligence in order to comply with the regulations than they will not be liable for any civil penalties or criminal liability.

Next Steps

We would recommend that trustees make themselves aware of the new requirements, review the quality of the member data, and engage with their advisers to understand whether the pension scheme’s investment structure is such that it will be seen by HMRC to be a relevant taxable trust.

---

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.