Knock, Knock! Who’s There? GDPR! GDPR! GDPR!
The answer to most “knock knock” jokes is hilarious and funny. However, the answer, “GDPR, GDPR, GDPR,” to my “Knock Knock! Who's there?” post on the ACOPA Listserv on June 6, 2018, is anything but hilarious and funny.
What is GDPR?
The acronym GDPR stands for the General Data Protection Regulation. The regulation applies to any organization that collects, processes, or stores the personal data of EU Citizens or EU Residents regardless of whether or not the organization is located or has physical footprints in the EU. See the explanation of “data subject” under the caption “A Key Concept” below. The GDPR protects the personal data of data subjects, regardless of where their personal information is located, processed or stored. The major aim of the GDPR is to give data subjects greater protection and control of their personal data. The GDPR also aims to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR was approved and adopted by the European Union (EU) Parliament on April 27, 2016 and went into effect on May 25, 2018, i.e., the deadline for organizations to comply with GDPR was May 25, 2018. The GDPR replaces the “1995 Data Protection Directive which was adopted at a time when the internet was in its infancy.”
Structure of the GDPR
The GDPR consist of 173 Recitals and 99 Articles. The regulation is comprehensive and complex. Thus, it is not the intention of this article to cover all of the GDPR. However, it is the intention of this article to provide you with some understanding of GDPR, so that when you receive your client’s “knock, knock — who’s there? GDPR Compliance Strategy Request" email, you can at least create a compliance strategy structured for your business. While not hilarious and funny, at least it should be much less stressful.
Point of View
It is important to understand at the outset that I am writing from the point of view of a third-party administrator and actuary (processor) who processes personal data on behalf of the controller in regard to the administration of ERISA retirement plans. This relationship or point of view is of the utmost importance since it establishes the purpose and legal basis, as required by Article 6(1) point (a) thru point (f), for the “processor” to collect, “process,” and store the “personal data” of employees, including “data subjects” of the “controller” in a valuation and recordkeeping “filing system.”
The GDPR is replete with new concepts and terms, four of which must be highlighted at the beginning of this article as follows:
- “controller” as defined under Article 4(7) of the GDPR, “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data,” i.e., a plan sponsor or a TPA client;
- “processor,” as defined under Article 4(8) of the GDPR, “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”;
- “data subject,” as defined under Article 4(1) of the GDPR, refers to “an identified or identifiable natural person”; and
- “personal data,” as defined under Article 4(1) of the GDPR refers to all information which is related to a data subject, including, but not limited to names, birthdays, physical addresses, email, IP addresses, and other demographic information.
For your convenience, I am providing you with a link to what I consider a user-friendly way to navigate thru the GDPR. The link is located at https://gdpr-info.eu/recitals/no-2/. In addition, references to Articles and Recitals are linked to the source.
“Article” or “Recital” are references to an Article or Recital of the GDPR. Due to the length of some Articles and Recitals, I will not write out the full Article or Recital, but instead only mention the Article or the Recital; thus, you only need to click on the linked reference to an Article or Recital to view the source. It is important to understand that this article is based on the GDPR Compliance Strategy provided to our clients requesting that we provided them with our GDPR Compliance Strategy.
A Key Concept
Reading the GDPR, you may believe that the GDPR only applies to EU Citizens or EU Residents. However, it is important to note that Article 3(2) of the GDPR, states: “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Thus, Article 3(2) makes clear that a data subject is more than an EU Citizen or an EU Resident, i.e., a data subject could be someone on vacation or someone in transit through the EU. Note that “Union” as used above refers to the European Union and not a labor union.
Foundation of a Data Privacy and Data Protection Governance
Recital 2 of the GDPR states: “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.” Thus, the foundation of a data privacy and data protection compliance strategy should:
- establish the purpose and legal basis for a company, as processor, to collect, process, and store the personal data of employees, including the data subjects, of the controller; and
- implement the appropriate technical and organizational measures in a manner that will allow processing to meet the requirements of the GDPR to ensure the protection of the personal data of employees, including the data subjects, of the controller.
Establishing the Legal Basis and Purpose to Collect, Store and Disclose Personal Data for Processing
Recital 40-Lawfulness of data processing states that “in order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
The plan sponsor of a qualified plan under IRC Section 401(a) is required to perform annual administration under the plan in order to satisfy various ERISA, IRS, DOL, and Treasury regulations so that the plan can maintain its qualified status. The plan document will establish the legal basis for the controller to collect, store and disclose the personal data of its employees, including data subjects, to the processor for processing in accordance with Recital 40. The plan document requires the Plan Administrator to collect personal data from participants in the plan to effectuate any participant elections made under the plan. In addition, the Service Engagement Agreement (contract) between the processor and the controller should clearly state the purposes as well as the legal basis to collect, store, and disclose the personal data of employees, including data subjects of the controller to the processor for processing.
Article 13(1) of the GDPR states, in pertinent part, that “Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.”
Most, if not all Service Engagement Agreements, will allow the controller to satisfy Article 13(1).
Contracting the Processor and Recipient Under Article 28(3)
Article 28(3)-Processor, states, in pertinent part, that “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
Most Service Engagement Agreements clearly establish the Plan Sponsor as controller, contracts the actuary or TPA as processor in accordance with Article 28(3), and as recipient as defined under Article 4(9) of the GDPR.
Establishing 'Filing System' Under Article 4(6)
Article 4(6) of the GDPR applies to the processing of personal data by both automated and manual means provided that the personal data are contained, or are intended to be contained, in a “filing system.”
Most actuaries and TPAs have valuation and recordkeeping systems that will meet the definition of a “filing system” as defined under Article 4(6).
Collecting and Disclosing Employee Census Data (Personal Data) from the Controller
The employee census data requested from the controller meets the definition of personal data as defined under Article 4(1) of the GDPR. Moreover, the disclosing of personal data by the controller to the processor and the recipient for processing, establishes the criteria for processing by the authority of the controller and processor under Article 6 of the GDPR.
Processing Personal Data Disclosed to the Recipient
Article 4(2) states that “processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Prohibitions Under Article 9(1) of the GDPR
Article 9(1)-Processing of special categories of personal data states that the “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” However, Article 9(2) states that “Paragraph (1) shall not apply if one of the following applies...” The exceptions to Article 9(1) are located under Article 9 point (2)(a) thru point (2(j). Please see Article 9 point (2)(a) thru point (2(j).
Annual Individual Participant Statements Satisfy Recital 42, Article 12 and Article 13 of the GDPR
Recital 42-Burden of proof and requirements for consent states, in pertinent part, that “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given.”
The annual individual participant statements, displaying personal data among other things, provided to the controller by the processor to be distributed to plan participants, including data subjects, “demonstrates that the data subjects has given consent to the processing operation” as required under Recital 42, and satisfies Article 12 and Article 13 of the GDPR annually.
Declaration that Confidential Personal Data is Gathered Legally Under Strict Conditions
The processor and recipient, should affirmatively declare in their GDPR Compliance Strategy that the confidential personal data requested, processed and stored are performed under the legal requirements of ERISA, IRS, DOL, and the United States Treasury (Treasury).
Confidentiality under Article 28(3)(b)
Article 28(3)(b) of the GDPR states, in pertinent part, that “persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.”
American Retirement Association (ARA) Professional Code of Conduct will satisfy the requirement under Article 28(3)(b) of the GDPR.
Protecting Personal Data from Breach and Misuse under Article 5(1)(f) and Article 28(1) of the GDPR
Under Article 5(1)(f) of the GDPR, “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” Moreover, Article 28(1) of the GDPR states that, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
Personal Data Breach under Article 4(12) of the GDPR
In order to respond to a breach, both the controller and the processor must be able to recognize a breach. Article 4(12) of the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
The first takeaway from this definition is that a breach is some type of security incident. The second takeaway, and probably the most important, is that the GDPR, with all of its required notifications and fines, only applies if there is a breach of personal data.
Under the GDPR, a “personal data breach” could be classified as any of the following three types:
(1) “Availability breach,” when there is an accidental or unauthorized loss of access to, or destruction of, personal data;
(2) “Integrity breach,” when there is an unauthorized or accidental alteration of personal data;
(3) “Confidentiality breach,” when there is an unauthorized or accidental disclosure of, or access to, personal data.
Under Article 5(1)(f) and Article 5(2) of the GDPR, the controller must ensure compliance with the principles relating to the processing of “personal data” as outlined in Article 5 of the GDPR. Thus, the consequence of a personal data breach is that the controller will be unable to ensure compliance with the principles relating to the processing of personal data as outlined in Article 5 of the GDPR.
Notification by Processor to Controller of a Personal Data Breach under Article 33(2) of the GDPR
Article 33(2)-Notification of a personal data breach to the supervisory authority, states that “The processor shall notify the controller without undue delay after becoming aware of a personal data breach.” The obligation on the processor to notify the controller will allow the controller to address the breach and to determine whether or not it is required to notify the supervisory authority in accordance with Article 33(1) and the affected individuals in accordance with Article 34(1) of the GDPR. Note that the GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay.” However, in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours under Article 33(1), the processor should provide immediate notification of any personal data breach, with further information about the breach provided in phases as information becomes available. Note that the processor has no other notification or reporting responsibilities under the GDPR.
Right of Access, Right to Erasure (To Be Forgotten), Right to Restriction of Processing, Right to Data Portability
The rights of data subjects under Articles 12 to 22 of the GDPR should not preempt the legal rights of the controller to carry out the provisions of the Employee Retirement Income Security Act of 1974. This fact is borne out by looking at each of the rights under the respective articles of the GDPR as follows:
Article 15-Right of Access by the Data Subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information contained in Article 15(a)-(h).
Article 16-Right to Rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
Article 17-Right to Erasure (or the right to be forgotten)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2), and where there is no other legal ground for the processing. Article 17 goes on to state that the right of a data subject to erase personal data or to be forgotten, is only applicable “where there is no other legal ground for the processing.”
An ERISA qualified plan will potentially have legal grounds for the processing of personal data of a data subject. In addition, Article 17-Right to erasure (right to be forgotten) appears, initially, to be in conflict with IRS rules on record retention in the case of a terminated plan.
Article 18-Right to Restriction of Processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. Article 18(c) goes on to state that the right of a data subject to restrict processing of personal data is contingent on the “controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.”
Article 20-Right to Data Portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and the processing is carried out by automated means.
On initial reading of Article 20, there seems to be a host of practical and legal ERISA, IRS and DOL issues with Article 20. However, the concern is satisfied by points (b) thru (e) under Article 6(1)-Lawfulness of Processing, in particular point (c).
(1) Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What is the Meaning of Article 2 point 2(a) of the GDPR?
Article 2 of the GDPR defines the material scope and Article (3) defines the territorial scope of the GDPR. In particular, Article 2 point (2)(a) states that “This Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law.”
It appears to me that the activity of processing personal data to perform an account balance valuation or an actuarial valuation as required by ERISA, IRS, DOL and the Treasury regulations would appear to be an activity which “falls outside the scope of Union law,” i.e., GDPR. Note that the United Kingdom (UK) is scheduled to exit from the European Union on Friday, March 29, 2019. An immediate question is whether the GDPR will still apply to the UK as a non-member of the EU? I have found no statements coming from the UK addressing this issue.
The GDPR with its 99 Articles and 173 Recitals can seem quite intimidating and challenging at first blush. Thus, it is quite natural to close the file and go searching for articles to read on the GDPR. Some of the articles are quite good in getting you to “wade in.” However, if you have received a request from the GDPR team of your largest and most important client requesting that you provide them with your company’s GDPR Compliance Strategy, you can use this article as a guide. In addition, I suggest, that you follow the steps below.
The overarching aim of the GDPR is to give data subjects, EU Citizens and EU Residents, greater protection and control of their personal data. Thus, the first area of focus might be to establish the legal basis and purpose to collect, store and disclose personal data of data subjects for processing. Accordingly, you might want to start by reading Recital 40-Lawfulness of data processing and Article 6(1) point (a) thru point (f). After reading Recital 40 and Article 6, you will naturally be pulled to Article 4-Definitions.
The second area of your focus might be to show how you the business owner, as processor, have implemented the appropriate technical and organizational measures that will allow processing to meet the requirements of the GDPR to ensure the protection of the personal data of the data subjects of the controller. In that regard, you must read the all-important Article 28(1) which mandates that “…the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
Finally, the third area of your focus might be to fully understand that your client, the controller, and you the processor, will be subject to stiff fines
under Article 83 for not complying with the GDPR. Thus, you will want to read Article 5(1)(f) and Article 5(2) which requires that the controller must ensure compliance with the principles relating to the processing of personal data as outlined in Article 5 of the GDPR. Thus, the consequence of a personal data breach is that the controller will be unable to ensure compliance with the principles relating to the processing of personal data as outlined in Article 5 of the GDPR.