The new General Data Protection Regulation (“GDPR”) will replace existing European data protection law from 25 May 2018. The changes being introduced are significant and there is a lot to do to get ready.

Following on from our recent seminar series looking at how the regulation will affect those in the pensions industry, we have listed below some priority action points to set you on the right track.

Data Protection Officer

You may be obliged to appoint a data protection officer. They must be involved in all data protection issues and report directly to the highest level of management within your organisation.


  • Determine whether you need to appoint a DPO (or want to do so on a voluntary basis).

Personal Data

It will become more onerous to hold or process members’ personal data. There will be new member rights associated with holding personal data, such as a member’s right to have data deleted where it is no longer required or have their data transferred to new providers, and more information must be provided to members about how their data is held and processed. It will also be more difficult to rely on member consent to process data.


  • Review records of personal data currently held and take advice on the lawful basis for holding it.
  • Review existing consents. Where member consent is obtained, this must be freely given, clear and unambiguous and cannot be implied. It must be capable of being withdrawn at any time. Other consent requirements apply which make consent difficult to rely on.
  • Review member communications and existing privacy notices. Where another processing justification is used (e.g. legitimate interests), this must be clearly communicated to members.


While the requirements for data processors (such as scheme administrators) are becoming more stringent, the ultimate responsibility for compliance with the GDPR lies with the pension scheme trustees/employer.


  • Review contracts with any providers that currently act as controller or processor of member data. Update contracts to incorporate the more extensive requirements of the GDPR and to ensure that these requirements will be met.
  • Take this opportunity to agree practical processes to ensure compliance with the GDPR. For example, who is to be responsible for reporting security breaches within 72 hours?
  • Advisers may seek to put in place new contracts in response to the GDPR. Review these carefully to ensure that no data protection concessions or indemnities are being given by the trustees.
  • Where new advisers are being appointed, data will need to be transferred. In these circumstances, carry out a privacy impact assessment, and notify the Data Protection Regulator where a transfer is deemed high risk.