Teal blue header image

GDPR: A pension trustee's ongoing obligations

After months of preparing for GDPR, unfortunately the work does not stop now that the regulation has been implemented. Elements of the GDPR will require ongoing review and action

See our checklist below to make sure you are up to speed with your ongoing trustee GDPR obligations.

DPO or not to DPO?

  • Trustees, as data controllers, do not always have to appoint a Data Protection Officer (DPO). If you have decided that a DPO is not currently needed, review this regularly.
  • If a DPO is not appointed, the trustees will have a number of responsibilities to ensure GDPR compliance.  One trustee should take on overall GDPR responsibility. 

Dealing with a data breach

  • Any suspected or potential data breaches must be reported as soon as possible to the DPO or trustee with GDPR responsibility. If the breach is serious, this should be escalated to the Information Commissioners Office (ICO) and, where necessary, the Pensions Regulator within 72 hours of the discovery of the breach.
  • Members may also need to be informed of the data breach, if the data breach is significant. 

Dealing with individual rights requests

  • The trustees have one month to respond to any individual rights request.
  • If not already in place, it is a good idea to have a system  for how you will respond to such requests.

Demonstrating your GDPR compliance

  • Trustees should ensure that they are familiar with their policy documents.
  • Trustees must keep a record of all data processing activities, along with a record of individual rights requests, data breaches and any transfers of personal data outside the European Economic Area.
  • Communication between trustees that contains personal data should be adequately secure. This may include, for example, using encrypted email systems and password protected documents.
  • Trustees must regularly review all data processing activities and GDPR policies. In order to document GDPR compliance to the ICO, we recommend that a GDPR review is added as an agenda point to future meetings. 

How TLT can assist

  • Process - ensure you have a data breach and individual rights request procedure in place.
  • Training - carry out annual GDPR refresher training and GDPR data breach training to help ensure that you are meeting your GDPR obligations
  • Compliance - provide a secure extranet to demonstrate GDPR compliance, to manage communications regarding personal data and record data processing activities

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all