Richard Butcher speaks of the importance of the new GDPR regulations but also of his fear of getting it wrong.
I seem to remember that one of Steven King's early films was about a chap driving across America in the dead of night when, for whatever reason, a truck starts harassing him. Presumably it starts at a low level before stepping up to intimidation and then, finally, arriving at terror – it being a Steven King film, after all. Can anyone remember what that was called?
Mentally I have the image of impenetrable dark stretching in all directions shattered only by a steaming hulk of blindingly lit metal, bearing down in a cloud of snorting exhaust fumes and deafening noise. That's sort of how I feel about GDPR at the moment.
The General Data Protection Regulations, to give them their full name, come into force late in May next year. According to many they are a simple extension of the data protection rules we have lived, and possibly breathed, for many a year, updated to reflect the fact it is the 21st century now and we all communicate, store and exchange data electronically. There is, many will tell you, nothing to fear.
That might be a fair analysis (although it wouldn't make a very good horror film) but I am still in terror, for three reasons.
Firstly, a breach of the current data protection rules could, in the worst cases, result in a fine of up to £500,000. The worst kind of breach of GDPR could result in a fine equivalent to €20 million (or 4% of annual worldwide turnover, whichever is greater). That is a staggering, eye watering step up that scares me witless, even though I think I'm doing okay. The sword of Damocles just grew in length from, say, 1 meter to 40!
So, I think I'm okay, but this is what makes me sweat: I don't know that I'm okay. We use good service providers – large reputable firms that are already all over this, but it is not that core operation that scares me. It's all the little peripheral things where this could go wrong.
Does one of my co-trustees have a box of old pension scheme papers sitting almost forgotten in his study, his attic, or maybe even his garage? We archive old papers for schemes long wound up – someone has to keep this stuff in case there's a question later.
What happens if in box 12, somewhere toward the back of file 48, there is a bit of sensitive personal data that we don't need to keep anymore and that we haven't catalogued? How good are we and our service providers, really, at deleting data that is no longer needed?
Then there's all the unanswered semi-legal (or actually legal, I suppose) questions. Should we be in touch with ex-service-providers to find out what they are doing? Should our minutes record member names, or indeed any other identifier, any more and if not, how do we link our decisions to scheme governance? The list gets longer every time I talk with people about this.
Data protection is important – it should be cultural, not just procedural – but we have always held, and will continue to hold, a lot of personal data. GDPR rightly ups the ante, if for no other reason than we have the World Wide Web and email now. But the known unknowns and unknown unknowns scare me witless and, right now, I think I'd rather stare down a truck in the dead of night.
This blog first appeared in Pension Funds Insider. To continue reading, please click here.