What Advisers Should Know About GDPR

While the GDPR does not directly address U.S. benefit plans, it should be of particular interest to defined contribution plan sponsors and their service providers because they hold personal information for each plan participant.

During a recent conversation with PLANADVISER, Peg Knox, chief operating officer of the Defined Contribution Institutional Investment Association (DCIIA), highlighted the growing importance of data privacy laws in the operation of U.S. retirement plans.

Knox says DCIIA is focused on this topic for a few reasons, including the fact that the European Union has now fully implemented the General Data Protection Regulation (GDPR). She also warns that the California Consumer Privacy Act (CCPA) goes into effect January 1, 2020—another sweeping data privacy regulation that includes many similar protections and provisions to GDPR.

“It may not be obvious at first, but these regulations can be potentially very significant for U.S. plan sponsors,” Knox says. “Even for plans that feel they are not at this stage subject to either regulation directly, doing a review of GDPR and CCPA may be helpful in considering how to respond as similar regulations possibly take effect in the U.S. at the federal or state levels.”

To this end, DCIIA recently published a detailed white paper that can help plan sponsors and their service providers understand and comply with both GDPR and CCPA. According to DCIIA’s analysis, GDPR marks the most significant change to European data privacy and security in more than 20 years.

“It regulates market practices for businesses operating within the EU and protects specific elements of the personal information of individuals residing in both the EU and the European Economic Area (EEA),” the paper explains. “In doing so, the GDPR has tightened existing EU privacy rules, added new rights for covered individuals, and provided a series of enforcement tools and penalties. The GDPR also enables the EU to hold all organizations engaging with any EU resident accountable for regulation violations, whether or not the firm is located within the EU.”

According to DCIIA, GDPR necessitates a particular, and in many cases new, way for organizations to interact with individual customers.

“For example, if a firm does business online or maintains a website, GDPR regulates whether, how and to what extent a firm may collect individual personal information; a firm may track or record individual website use, such as through cookies; a firm may utilize such information, and with what limitations,” the white paper says. “The GDPR applies regardless of whether the services are paid for or are free. … Since penalties for non-compliance are significant, affected organizations will want to be able to demonstrate effective processes, controls and compliance.”

According to DCIIA, one main upshot of GDPR in practical business operations is that “opt-out” practices have been replaced with affirmative “opt-in” ones or written individual agreements as one way to establish a legal reason to process data. There are also other legal grounds under which data can be processed, such as a legitimate business reason, a contractual obligation or a legal obligation.

Also important to understand is the GDPR’s requirements when a data breach occurs. As DCIIA explains, GDPR is specific about how to handle data breaches.

“If your organization is a data controller, either the firm or its EU representative must notify the appropriate national supervisory authority within 72 hours of identifying a data breach, unless the individuals affected are unlikely to be harmed,” the paper explains. “If your firm is a data processor, it should immediately notify the data controller of the data breach. The information should include a breach description, the number of individuals and records impacted, potential consequences, and a resolution recommendation.”

What Does This All Mean For U.S. Plans?

While the GDPR does not directly address U.S. benefit plans, DCIIA says, it should be of particular interest to defined contribution (DC) plan sponsors and their service providers because they hold personal information for each plan participant.

“A U.S. retirement plan sponsor with EU residents in its plan will fall under the scope of the GDPR, if the plan’s website allows EU residents to access plan services,” DCIIA explains. “Within our industry, the trustees and fiduciaries for retirement plans would be considered the data controllers, and the data processors would be the service providers working with the retirement plan.”

In the case of a benefit plan that is processing data, DCIIA says, opt-in consent for data storage and processing may be attained at the time the plan participant signs up for the plan. If a firm is acting as a third-party service provider, DCIIA says, the firm should ensure that the client organization has obtained written consent from its employees for their personal data to be passed to a third party.

“Service providers processing special data categories will be required to have an additional legal authority for such collection,” the paper warns.

DCIIA recommends that plan sponsors and service providers work with their ERISA counsel on these matters.

“The GDPR is complex, with many nuances,” the paper says. “Your ERISA counsel can help you work through the maze that is the GDPR and how it may apply to your organization’s specific circumstances. Consider the extent to which you may need to include GDPR-specific compliance procedures as an element in service-provider selection and oversight.”