PTL's Keith Lewis encourages providers and trustees to consider whether they can improve their communications to members.
Over the last twenty years, daily newspaper circulation in the UK has nearly halved. There are many reasons for this, but the use of technology and how people access information is undoubtedly a primary cause of this dramatic change. Today people generally expect communication to be widely accessible, more flexible, and available in bite-size chunks.
Technology is responsible for fundamental changes in our lifestyles, and not just in terms of how we access information. But for those yearning for some stability, worry not. There is always pension communication to remind us of days gone by. While there are some good and noteworthy examples, much of the communication coming from our industry remains stodgy, boring, and largely unintelligible. Indeed, many pension communications look very similar to how they did twenty years ago.
Mentally I have the image of impenetrable dark stretching in all directions shattered only by a steaming hulk of blindingly lit metal, bearing down in a cloud of snorting exhaust fumes and deafening noise. That's sort of how I feel about GDPR at the moment.
The General Data Protection Regulations, to give them their full name, come into force late in May next year. According to many they are a simple extension of the data protection rules we have lived, and possibly breathed, for many a year, updated to reflect the fact it is the 21st century now and we all communicate, store and exchange data electronically. There is, many will tell you, nothing to fear.
That might be a fair analysis (although it wouldn't make a very good horror film) but I am still in terror, for three reasons.
Firstly, a breach of the current data protection rules could, in the worst cases, result in a fine of up to £500,000. The worst kind of breach of GDPR could result in a fine equivalent to €20 million (or 4% of annual worldwide turnover, whichever is greater). That is a staggering, eye watering step up that scares me witless, even though I think I'm doing okay. The sword of Damocles just grew in length from, say, 1 meter to 40!
So, I think I'm okay, but this is what makes me sweat: I don't know that I'm okay. We use good service providers – large reputable firms that are already all over this, but it is not that core operation that scares me. It's all the little peripheral things where this could go wrong.
Does one of my co-trustees have a box of old pension scheme papers sitting almost forgotten in his study, his attic, or maybe even his garage? We archive old papers for schemes long wound up – someone has to keep this stuff in case there's a question later.
What happens if in box 12, somewhere toward the back of file 48, there is a bit of sensitive personal data that we don't need to keep anymore and that we haven't catalogued? How good are we and our service providers, really, at deleting data that is no longer needed?
Then there's all the unanswered semi-legal (or actually legal, I suppose) questions. Should we be in touch with ex-service-providers to find out what they are doing? Should our minutes record member names, or indeed any other identifier, any more and if not, how do we link our decisions to scheme governance? The list gets longer every time I talk with people about this.
Data protection is important – it should be cultural, not just procedural – but we have always held, and will continue to hold, a lot of personal data. GDPR rightly ups the ante, if for no other reason than we have the World Wide Web and email now. But the known unknowns and unknown unknowns scare me witless and, right now, I think I'd rather stare down a truck in the dead of night.
This blog first appeared in Pension Funds Insider. To continue reading, please click here.