As we pass one year after the General Data Protection Regulation (GDPR) came into force, trustees may have thought they could heave a sigh of relief. But GDPR is for life and compliance continues to pose ongoing challenges.

We’ve prepared 10 trustee tips to help to continue managing your risk and how to evidence GDPR compliance to the Information Commissioner's Office (ICO).

1 - Privacy notice

Update it to ensure key changes are documented and members are notified, eg has your administrator moved its business outside the UK or EU or do you have a new administrator? Are you considering a buy-in or buy-out of scheme benefits? You can future proof your privacy notice by including this now.

2 - Policies and procedures

Review annually and evidence that you have done this.

3 - Trustee insurance

Check your policy covers data protection breaches.

4 - Data protection fee

To be paid annually to the ICO and applies to trustees who are data controllers, unless they are exempt. Fee ranges from £40 - £2900.

5 - Retention of scheme data

There is a tension between the ICO's requirement to retain data only for as long as required versus the longevity of pension schemes. Our advice has been to retain data for 15 years, which is the longstop for a possible claim to be brought against trustees eg 15 years after a member has transferred benefits out of a scheme. Some trustees have decided to retain data for longer.

6 - Register of processing activities

Check this and have you moved to a new platform or are you sharing data with new organisations?

7 - Data breaches

Check that your data breach log is up to date and review it for any ways that behaviours and actions can be changed, to reduce the number of breaches

8 - Data sharing agreement

Put one in place between you and the employer if you have active members and exchange data or a buy-in or buy-out is going to take place shortly.

9 - Identify your training requirements

So that you can demonstrate compliance with GDPR.

10 - Cyber risk

Ensure you know how to act quickly when there is a data breach.