Pension Funds Insider

Pension Funds Insider brings the latest pensions news and industry insights; from investment and governance updates to new mandate appointments and pensions regulatory information.

The deadline has passed

Image for The deadline has passed pension funds

Are trustees compliant?

On Friday 25th May, the General Data Protection Regulation (GDPR) came into effect in the UK. The GDPR has replaced the Data Protection Act, which was previously in place for 20 years. And while some aspects of the GDPR are similar to the original act, there are also some big changes that trustees need to be aware of.
Now that the rules are in place, have you get everything you need in place to make sure you’re dealing with your data correctly? Read through our list now to check you’ve covered the biggest steps in being GDPR compliant.
1.    Carry out an audit of personal data
The GDPR definition of personal data is any information relating to an identified or identifiable living person. And because trustees hold the ultimate responsibility for member’s personal data, that makes you ‘data controllers’.
If you haven’t already, that means you need to find out exactly what personal data you hold, why you have it, and whether it’s still needed.
2.    Update your privacy notices
By now, trustees should either have reviewed privacy notices previously given to members and updated them so that they include all the information set out in the GDPR. If necessary, this might also mean reissuing them to affected members and beneficiaries.

Alternatively, you might have decided to send out an entirely new GDPR-compliant privacy notice to members, in which case a review of earlier notices should not be needed.
2. Make sure members are well-informed
Trustees also need to make sure members know how their personal data is being processed, and that they’re fully aware of their rights in relation to that data.
For example, they have the right to be forgotten and to have inaccurate personal data corrected.
3. Get prepared for breaches
In general, trustees will decide whether to report on a data breach on a case-by-case basis. But when the breach is serious, and there’s a serious risk of rights being breached, the members concerned must know about it within 72 hours. 
Now is the time to check what protections you have, in the event of any regulatory fines, or compensation claims from individuals arising from a data protection breach. Not all insurance policies will cover these claims, so check your cover with a legal adviser.
4.    Know how to deal with third party processors
The GDPR is primarily about openness and transparency through the data handling chain. With this in mind, the new rules have brought in some major changes to the legal relations between trustees, as data controllers, and many of their service providers, as data processors.
If you haven’t already, it’s vital that you now make sure any contracts you are negotiating with third parties are fully GDPR compliant. Trustees should also check which of their current suppliers are processing personal data on their behalf and confirm that these suppliers are prepared for GDPR.
Finally, some of your contracts with suppliers will need to be amended, so look into doing this now.
Nikki Allen