After more than four years of negotiations, the new EU data protection framework has finally been agreed. Following a two-year transition period, the General Data Protection Regulation (GDPR) will apply in all member states from 25 May 2018.

The GDPR will completely overhaul the current data protection laws in the UK as well as Europe. It has a greater emphasis on formal compliance processes and imposes substantial new obligations on trustees in the collection and use of personal data. Trustees should therefore use the current 24-month transition period to fully review their existing processes and introduce new policies and procedures to prepare for the GDPR.

Terminology in a pensions context

As with any specialist area of law there is some basic terminology to understand. Helpfully this has not changed from the current terminology:

  • A "data controller" is a person or body, which determines the purposes and means of processing personal data. In the pension scheme context, in the majority of cases the pension scheme trustee will be the data controller.
  • A "data processor" is a third party who process the data on the data controller's behalf. Data processors will include administrators, advisers and annuity providers.

We have set out below six key areas of the GDPR which will have a significant impact on pension trustees:

Click here to view the chart.