How data protection law applies to retirement funds

Humans become vulnerable in their old age and as a poet once said, it is like a second childhood. In the same way that we recognise that we need to protect the personal data of children because if it falls into the wrong hands they will suffer harm, we need to protect the personal data of our older population against unauthorised use, misuse and other forms of abuse. Arguably, no source of personal data is more important to their wellbeing than their retirement fund. After a life of hard work and saving, it is the nest egg that is supposed to sustain them through their golden years. If a cybercriminal or other bad actor gets hold of their personal data related to their pension, they can potentially steal their money or otherwise compromise their retirement. It is for this reason, amongst others, that data protection matters when it comes to pension funds.

Do you know what you need to know as a principal executive officer, administrator or other executive responsible for managing a pension fund so that you can protect the personal data of your members and beneficiaries as data subjects in terms of relevant data protection laws?

This programme tackles data protection from the perspective (or through the lens) of a retirement fund.

Types of retirement funds

  • Pension funds: These are employer-sponsored funds that provide regular retirement income through annuities. They form independent legal entities, with trustees managing personal data on contributions and payouts.
  • Provident funds: Similar to pension funds, these are sponsored by an employer and provide a lump sum at retirement.
  • Retirement Annuity Funds (RAs): These are savings plans where individuals contribute independently.
  • Pension preservation funds: Designed to keep retirement savings intact when individuals leave an employer.

What laws apply to your processing?

Relevant data protections laws apply to your processing as a pension fund: the GDPR in the EU, CCPA in the US state of California, and POPIA in South Africa. You need to understand certain concepts related to these laws to properly comply with your obligations, including:

  • Who are the role players when it comes to retirement funds? Between the fund itself and the administrators, who is the controller and who is the processor?
  • What data protection principles apply to processing as a retirement fund? When it is it lawful to collect the personal data of a member indirectly and when and how do you need to get consent to process their personal data?
  • What are privacy impact assessments? When and how do you need to do them?

There are also industry-specific laws in each jurisdiction that will generally apply to your processing if it grants your data subjects a higher level of protection. For example, in South Africa the Pension Funds Act applies specifically to the pension funds industry and Conduct of Financial Institutions Bill will soon regulate financial institutions in general, including pension funds.

Will joining this lens help my organisation comply?

Yes. That’s the short answer. We understand that you may be working with limited resources and budgets. We want to help you in the most efficient and cost-effective way. Our data protection lens for retirement funds will help you. This lens combined with our practical core programme takes you through the key actions a retirement fund must take to comply.

Who should join the data protection for retirement funds lens?

If you’ve joined one of our core programmes then you get complimentary access to this lens. This lens is for all retirement funds and is particularly appropriate for:

  • principal executive officers;
  • administrators; or
  • other executives responsible for managing a retirement fund.

What are the outcomes?

As a direct consequence of this programme, you will:

  • get an overview of how data protection laws apply to retirement funds;
  • learn how relevant data protection laws affect the relevant classes of data subject and role players for retirement funds, such as beneficiaries, trustees and fund administrators; and
  • exploring specific data protection pain points for retirement funds, including indirect collection by administrators, impact assessments and relevant laws that overlap with data protection when it comes to retirement funds (such as the Pension Funds Act, its regulations and various circulars in South Africa).

About the facilitator

David Luyt
David Luyt

David believes that less is more when it comes to the law. He works as an information lawyer because he enjoys simplifying complex ideas into practical insights. He is uniquely positioned for any organisation acting as a processor seeking a privacy specialist to ensure compliance peace of mind. He has formalised his experience by obtaining his CIPP/E from the IAPP. David has been an associate at Michalsons for the past seven years.

Why Michalsons?

  • We believe in using the law as a tool to prevent harm from coming to people.
  • We have significant practical experience dealing with data protection law.
  • We cover only those areas of data protection law that are most relevant to you, saving you time and money.
  • We provide insight and simplify the issues, empowering you to work through the obligations yourself.

How long does it take to work through the lens?

You can work through this lens at your own pace and go as fast or slow as you like. Depending on the data protection processes you already have in place, it could take you a few hours or a few weeks to work through this lens.

Price

A lens is a complimentary programme that you get access to by joining the data protection programme. It contextualises data protection for a particular audience, such as community schemes, non-profits, or schools.

These lenses serve as an additional guide as you work through the core programme.

100% Money Back Guarantee

We will refund you if you do not think you received value.

Tackle your compliance challenges now!

Join