GDPR a year on: top tips for pension trustees

As we pass one year after the General Data Protection Regulation (GDPR) came into force, trustees may have thought they could heave a sigh of relief. But GDPR is for life and compliance continues to pose ongoing challenges.

We’ve prepared 10 trustee tips to help to continue managing your risk and how to evidence GDPR compliance to the Information Commissioner's Office (ICO).

1 -  Privacy notice

Update it to ensure key changes are documented and members are notified, eg has your administrator moved its business outside the UK or EU or do you have a new administrator? Are you considering a buy-in or buy-out of scheme benefits? You can future proof your privacy notice by including this now.

2 - Policies and procedures

Review annually and evidence that you have done this.

3 - Trustee insurance

Check your policy covers data protection breaches.

4 - Data protection fee

To be paid annually to the ICO and applies to trustees who are data controllers,  unless they are exempt. Fee ranges from £40 - £2900.

5 - Retention of scheme data

There is a tension between the ICO's requirement to retain data only for as long as required versus the longevity of pension schemes. Our advice has been to retain data for 15 years, which is the longstop for a possible claim to be brought against trustees eg 15 years after a member has transferred benefits out of a scheme. Some trustees have decided to retain data for longer.

6 -  Register of processing activities

Check this. Have you moved to a new platform or are you sharing data with new organisations? Ensure your register is kept up to date.

7 - Data breaches

Check that your data breach log is up to date and review it for any ways that behaviours and actions can be changed, to reduce the number of breaches

8 -  Data sharing agreement

Put one in place between you and the employer if you have active members and exchange data or a buy-in or buy-out is going to take place shortly.

9 -  Identify your training requirements

So that you can demonstrate compliance with GDPR.

10 - Cyber risk

Ensure you know how to act quickly when there is a data breach.

How can TLT help you

  • GDPR training – workshop on managing data breaches
  • GDPR compliance extranet
  • Agree GDPR data sharing agreements
  • Review privacy notices and policies
  • Check that your trustee insurance covers your GDPR risks

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.

Date published

10 June 2019


View all