As we pass one year after the General Data Protection Regulation (GDPR) came into force, trustees may have thought they could heave a sigh of relief. But GDPR is for life and compliance continues to pose ongoing challenges.
We’ve prepared 10 trustee tips to help to continue managing your risk and how to evidence GDPR compliance to the Information Commissioner's Office (ICO).
1 - Privacy notice
Update it to ensure key changes are documented and members are notified, eg has your administrator moved its business outside the UK or EU or do you have a new administrator? Are you considering a buy-in or buy-out of scheme benefits? You can future proof your privacy notice by including this now.
2 - Policies and procedures
Review annually and evidence that you have done this.
3 - Trustee insurance
Check your policy covers data protection breaches.
4 - Data protection fee
To be paid annually to the ICO and applies to trustees who are data controllers, unless they are exempt. Fee ranges from £40 - £2900.
5 - Retention of scheme data
There is a tension between the ICO's requirement to retain data only for as long as required versus the longevity of pension schemes. Our advice has been to retain data for 15 years, which is the longstop for a possible claim to be brought against trustees eg 15 years after a member has transferred benefits out of a scheme. Some trustees have decided to retain data for longer.
6 - Register of processing activities
Check this and have you moved to a new platform or are you sharing data with new organisations?
7 - Data breaches
Check that your data breach log is up to date and review it for any ways that behaviours and actions can be changed, to reduce the number of breaches
8 - Data sharing agreement
Put one in place between you and the employer if you have active members and exchange data or a buy-in or buy-out is going to take place shortly.
9 - Identify your training requirements
So that you can demonstrate compliance with GDPR.
10 - Cyber risk
Ensure you know how to act quickly when there is a data breach.