GDPR and DPA 2018: Post-25 May 2018 to do list for pensions trustees

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) are now in force. What’s next for trustees?

The much anticipated GDPR finally came into force on 25 May 2018 with many of the DPA 2018’s provisions coming into force on the same date. However, this does not mean the end of the data protection compliance process.

The Information Commissioner’s Office (ICO) is still publishing guidance on GDPR, with DPA 2018 guidance also anticipated. It has published multiple updates in the last few weeks alone: detailed guidance on consent, the right to be informed and Data Protection Impact Assessments to name a few.

The UK Information Commissioner has made it clear that preparations for the new data protection regime do not end on 25 May 2018 and that effective data protection is an evolutionary process for organisations.

Below is a checklist of steps for trustees to take towards compliance:

• Consider and document lawful basis for processing
• Update privacy notices
• Review and update processor contracts
• Update/implement new data protection policy document(s) (including a breach notification procedure)
• Have in place appropriate security measures
• Obtain consent where required
• Designate a data protection delegate/team or, where required, a Data Protection Officer
• Maintain adequate records

Even with the documents and procedures in place, these need to be both adhered to and kept under review.

The documentation is also important as it can help the trustees to evidence their compliance with their data protection obligations.

As a checklist of steps to assist with ongoing compliance:

Privacy Notices

• Check that you actually explain what you do with an individual’s personal data in practice
• Where the intended purpose for processing has changed, update the notice to reflect this
• Ensure that the information in the notice (including contact details) remains accurate and up to date
• Analyse any complaints from data subjects about how you use their personal data and, in particular, any complaints about how you explain your use of it

For Security and Technical Measures/Policies

• Make sure these are stringently upheld
• Ensure all persons handling personal data have appropriate, adequate and up-to-date training
• Monitor and update measures as necessary
• Test security measures regularly

Other Monitoring

• Review and keep the data protection policy document(s) up-to-date
• Review the personal data you hold and whether you still need to hold or process it – data should not be kept longer than necessary
• If applicable, keep any legitimate interests assessment under review
• If you have decided that a Data Protection Officer and/or a Data Protection Impact Assessment is not currently needed, keep this decision under review
• Keep records of all reviews undertaken, and any relevant decisions. This is your record of working towards compliance!

If you have yet to seek advice on GDPR and/or DPA 2018, or would like assistance with any of the above, please do contact us.