As we pass one year after the General Data Protection Regulation (GDPR) came into force, trustees may have thought they could heave a sigh of relief. But GDPR is for life and compliance continues to pose ongoing challenges.
We’ve prepared 10 trustee tips to help to continue managing your risk and how to evidence GDPR compliance to the Information Commissioner's Office (ICO).
Update it to ensure key changes are documented and members are notified, eg has your administrator moved its business outside the UK or EU or do you have a new administrator? Are you considering a buy-in or buy-out of scheme benefits? You can future proof your privacy notice by including this now.
Review annually and evidence that you have done this.
Check your policy covers data protection breaches.
To be paid annually to the ICO and applies to trustees who are data controllers, unless they are exempt. Fee ranges from £40 - £2900.
There is a tension between the ICO's requirement to retain data only for as long as required versus the longevity of pension schemes. Our advice has been to retain data for 15 years, which is the longstop for a possible claim to be brought against trustees eg 15 years after a member has transferred benefits out of a scheme. Some trustees have decided to retain data for longer.
Check this. Have you moved to a new platform or are you sharing data with new organisations? Ensure your register is kept up to date.
Check that your data breach log is up to date and review it for any ways that behaviours and actions can be changed, to reduce the number of breaches
Put one in place between you and the employer if you have active members and exchange data or a buy-in or buy-out is going to take place shortly.
So that you can demonstrate compliance with GDPR.
Ensure you know how to act quickly when there is a data breach.
How can TLT help you
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...