Pension funds should appoint a dedicated officer for the protection of personal data, according to the chair of the Netherlands’ Personal Data Authority (AP).
At a conference hosted by IPE’s Dutch sister publication Pensioen Pro last week, Aleid Wolfsen spoke about the introduction of local data protection rules for the Netherlands, in the wake of EU-wide legislation for privacy protection that is to come into force as of next May, known as GDPR.
He suggested that the task could also be carried out by a board member of the pension fund, rather than a new member of staff. In his opinion, such an officer could also serve several pension funds.
The Dutch regulation requires government organisations, as well as organisations that process sensitive data on a large scale, to appoint somebody to hold responsibility for this data and the implementation of the new rules.
Wolfsen said that organisations that did not appoint such an official must explain their decision to enable the AP to check whether they have made the correct assessment.
Based on a conversation with the Pensions Federation, Wolfsen said he expected that the pensions sector in general was properly preparing for the data protection regulation.
According to the chairman, 10% of all data leaks reported to the AP during the first six months of 2017 came from the pensions sector.
However, he immediately put the issue into perspective by explaining that the breaches predominantly were about wrongly delivered mail, which officially counts as a data leak.
Wolfsen’s comments contrasted with the findings of a survey by an audit, tax and advisory firm, which reported in August that UK trustees were “unprepared” for the new European-level rules on data protection.
Eddie Hodgart, risk and assurance director at Crowe Clark Whitehill, said at the time that many trustees felt “out of their depth with non-traditional risks such as cybersecurity”. “More work is needed to educate pension trustees on managing non-traditional risks which impact pension schemes,” he added.