Skip to main content
CLOSE

Charities

Close

Corporate and Commercial

Close

Employment and Immigration

Close

Fraud and Investigations

Close

Individuals

Close

Litigation

Close

Planning, Infrastructure and Regeneration

Close

Public Law

Close

Real Estate

Close

Restructuring and Insolvency

Close

Energy

Close

Entrepreneurs

Close

Private Wealth

Close

Real Estate

Close

Tech and Innovation

Close

Transport and Infrastructure

Close
Home / News and Insights / Blogs / Pensions / 49: GDPR for pension schemes: Three year anniversary

On 25 May 2021, we reach the three year anniversary of the General Data Protection Regulation (GDPR) coming into force. In our latest blog we remind trustees of some key ongoing action points in order to comply with their data protection obligations. Since the end of the Brexit transition period, the GDPR has been broadly retained in domestic law and sits alongside the Data Protection Act 2018.

Data Protection Policy (DPP)

DPP’s form the backbone of trustee GDPR implementation, documenting and demonstrating compliance with the GDPR. Trustees should ensure this is being reviewed and updated regularly. To assist with this, compliance with the UK GDPR could be included as a standing item on trustee agendas if it is not already.

Privacy notice

Members have a right to information about the reasons for which their data is being processed. Trustees will have already established and communicated their lawful reasons for processing data but should make sure members are notified of any changes which impact them eg how their data is being used, who it is being shared with, and any changes to the basis for processing their data.

Note that information given to members about international transfers of their data may need to be updated in due course in light of Brexit (on 19 February 2021 the Commission released a draft adequacy decision for the UK, on which the EDPB published its opinion on 15 April 2021 but a final decision is still awaited).

Contracts and data sharing

Trustees will have existing GDPR compliant contracts with third party providers. Contracts with any new data processors engaged by trustees must include sufficient data sharing provisions in order to comply with the mandatory requirements set out in Article 28 of the UK GDPR. Careful thought should be given to indemnities in the event of breach.

To the extent they have not already, trustees should consider putting in place a data sharing agreement with the sponsoring employer or any other controllers with which they share data. They should also consider reviewing existing agreements, having regard to the ICO’s recently updated Data Sharing Code of Practice, which was laid before Parliament on 18 May 2021 and comes into force on 20 June 2021.

Data security

Trustees should regularly assess and test their security systems and measures to ensure they remain robust and can protect against unauthorised or unlawful processing and any accidental loss, destruction or damage of personal data.

Data breaches

Trustees should ensure that they have a policy and processes in place to enable them to act quickly in the event of a data breach and that they are in a position to notify the ICO within the requisite time frame (72 hours from becoming aware of it). Members may also need to be notified. All parties should be clear who is responsible for taking any steps.

Trustees must keep a log of any personal data breaches (even those which did not meet the reporting threshold), including its effects and any remedial action taken and ensure this is kept up to date.

Data subject access requests

In most circumstances, trustees must make sure they are in a position to respond ‘without delay’ to a subject access request and at the latest within one month of receipt of a request. The trustees and their administrators should be clear who is responsible for taking any steps to respond.

Trustees and their advisors can take day-to-day action to minimise what needs to be disclosed in the event of a request by avoiding using member personal data in correspondence wherever possible. In order for personal data to be truly anonymised, it must be stripped of sufficient elements so that the individual can no longer be identified. All parties connected with the administration and governance of a pension scheme should be alert to the need to anonymise wherever possible.

Retention of data

Keep data regularly under review and consider what is necessary to keep and what can be returned or destroyed. Retiring trustees should be asked to evidence they have returned or destroyed all personal data relating to the scheme.

Training

Trustees should ensure they are regularly refreshing their data protection training. The ICO’s breach notification form explicitly asks ‘Had the staff member involved in this breach received data protection training in the last two years?’. Trustees should ensure they are in a position to answer yes to this question in the unfortunate event of a breach.

How we can help

Our 25 March 2021 webinar can be found on YouTube in which we discuss developments in GPDR for pension schemes since the GDP came into force in 2018 and our experienced pensions team is well placed to provide GDPR training or help with reviews or updates of GDPR documentation more generally.

Related Articles

Our Offices

London
One Bartholomew Close
London
EC1A 7BL

Cambridge
50/60 Station Road
Cambridge
CB1 2JH

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

 

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

  • Lexcel
  • CYBER ESSENTIALS PLUS

© BDB Pitmans 2024. One Bartholomew Close, London EC1A 7BL - T +44 (0)345 222 9222

Our Services

Charities chevron
Corporate and Commercial chevron
Employment and Immigration chevron
Fraud and Investigations chevron
Individuals chevron
Litigation chevron
Planning, Infrastructure and Regeneration chevron
Public Law chevron
Real Estate chevron
Restructuring and Insolvency chevron

Sectors and Groups

Private Wealth chevron
Real Estate chevron
Transport and Infrastructure chevron