Despite the current Brexit negotiations, the UK will forge ahead with the implementation of new data protection rules, which will see all previous legislation replaced.
The new General Data Protection Regulations (GDPR) don’t take effect until May 2018, but it is really important for SIPP providers to fully understand the changes and to review their policies, procedures and systems now.

There are two significant changes that relate to customer consents and reporting requirements.  With regards to customer consents, most SIPP providers have general statements in the literature that explains to customers that there are Data Controllers and that their data will be used appropriately, lawfully and for its’ correct purpose etc.

The new regulations mean that the consent has to be far more specific and state with how the firm intends to use the data held. There is also the need for a positive indication of agreement; implied consent is no longer enough. So all SIPP firms will need to amend their literature, if it isn’t already in place, this could be a tick box next to a statement confirming that they agree to the processing of their data in this way.



All consent will need to be recorded, it can also be withdrawn by the consumer at any time. These changes apply to existing customers as well as new customers. This means that amendments will need to be made to current literature and systems, along with notification to existing customers, informing them of the changes. During the transition period, consideration will need to be given to any business in the pipeline and business received as the new rules embed into processes.

In addition to consent, the other significant change is to the reporting requirements. Under the current data protection regime we are all registered as Data Controllers with the Information Commissioner’s Office (ICO). Where there is a serious data breach, this needs to be reported and there have been some surprisingly high-level data security breaches.

The new regime requires all data breaches to be reported where there is a risk to the rights or freedoms of the data subject. This might be where the customer is likely to suffer some form of damage such as identity theft or a confidentiality breach. The notification to the ICO must take place within 72 hours, fines can be up to a maximum of 20m Euros or 4% of annual worldwide turnover. This means that SIPP firms need to consider how they are keeping internal reports of data breaches and the information they hold on those breaches, including if more information needs to be held.

For more information and to keep abreast of changes and developments visit the Information Commissioner’s Office website at https://ico.org.uk/. There is also a really interesting and useful guide that can be found here: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf


Elaine Turtle is director of DP Pensions