Data Protection Strategies for Pension Plans

Pension plans are treasure troves of sensitive personal information about their members and beneficiaries. Managing this data has never been more complicated and risky, especially in the wake of data protection law.

Kenya’s Data Protection Act was assented to on November 8, 2019, making it the primary data protection law in the country.

The law, which is one of the first on the continent to provide a comprehensive legal framework on data processing, gave effect to privacy as a fundamental human right, as enshrined in Article 31 ( c) and (d) of the Constitution.

Pension plan trustees qualify as data controllers under data protection law simply because they ultimately determine the manner and purpose for which plan member data is processed either by themselves or by themselves. themselves or by their agents.

Although pension plan administrators, as data controllers, should question their levels of compliance, there is more to it than just obedience.

The activity should not be viewed simply as a box-ticking exercise, but rather as an opportunity for directors to consider how the quality of the data in their possession may impact their tenure as directors. Here are three guidelines for administrators to manage data responsibilities:

Stakeholder training: pension schemes like companies often need to be prepared for natural or man-made disasters and need to ensure that appropriate risk mitigation measures are in place by their board and service providers .

For example, malware and ransomware attacks or system failures can be catastrophic for pension plans and so it is never too early to assess what needs to be done to prepare your respective pension plans for such risks.

There are several proven approaches to protect sensitive data against cybercrime and also reduce data breaches.

Policies and Guidelines: Member data security should be at the forefront of administrator governance strategies, particularly in light of data protection law and related regulations.

Administrators remain accountable for data security even when appointing reputable service providers, as such frequent reviews of the providers’ data resiliency and procedures should be part of system governance procedures.

Administrators must put in place privacy and information security policies that detail the procedures and practices for handling personal data. Policies should also guide an incident response plan in the event of an attack or breach.

Monitoring and evaluation: pension schemes can designate or appoint a data protection officer whose main role would be to advise them and their employees on the data processing requirements provided for by law.

The agent would also ensure that proxies comply with the provisions of data protection law while facilitating capacity building of staff involved in data processing operations.

The engagement of a data protection officer will help in the continuous monitoring and evaluation of the processes and procedures in place not only to ensure compliance with the law, but also to minimize data risks.