UK data protection law will change from 25 May 2018 to make it fit for a digital era. The changes are driven by EU law but will go ahead in the UK whatever form Brexit takes.

All pension trustees will be affected when UK data protection law changes on 25 May 2018 as the EU's General Data Protection Regulation (GDPR) comes into effect.

Trustees will need to review their policies and procedures and bring them into line with the new requirements.

The GDPR builds on current law to increase legal protection for personal data.

What steps do trustees need to take to comply with GDPR?

  • Conduct a data audit to check you have a legal basis under the new law for processing the personal data you hold e.g. because the processing is required to comply with a legal obligation, is necessary for the purpose of legitimate interests of the trustees or the member has consented.
  • Review contracts with third parties like administrators to clarify the allocation of responsibility against the background of the changes.
  • Review policies and procedures so internal processes generate evidence of how the scheme complies with GDPR.
  • Review member communications, including privacy notices, to identify new or updated items of information you are required to provide.
  • Keep abreast of developments because the full picture of the GDPR regime is not yet available. The Information Commissioner's Office in the UK is gradually publishing guidance on different aspects that will need to be taken into account.

Actions for trustees to take now

  1. Agree an initial action plan and responsibilities.
  2. Consider how you will audit the personal data the scheme holds.
  3. Put data protection on the agenda of all trustee meetings for the next year.

How will Brexit affect GDPR?

Once the UK is outside the EU, it will need data protection law equivalent to the GDPR in order to do business with EU member states. It will continue to operate the GDPR or a domestic equivalent as a matter of choice rather than obligation.