GDPR: A ten point checklist for trustees

clock • 4 min read

Sackers has outlined the ten key actions trustees need to take to understand the responsibilities that will be expected of them from 25 May.

Commenting on the importance of the new rules, Sackers partner Claire Carey said: "The GDPR will introduce new contractual obligations, increase the information that needs to be given to individuals, and enhance reporting obligations in the event of a breach - with minister of state for digital, Matt Hancock, saying its aim is to give the UK ‘one of the most robust, yet dynamic sets of data laws in the world'.

"Non-compliance could be met with heavy sanctions of up to £17m or 4% of global turnover, so it's essential that trustees can show they have taken all reasonable measures to get it right."

The ten-point Sackers GDPR checklist is:

  1. Audit your personal data Under the GDPR, "personal data" is any information (whether opinion or facts) relating to an identified or identifiable living individual. As the ultimate responsibility for member personal data rests with the pension scheme's trustees, they are "data controllers" for this purpose. Trustees therefore need to make sure they know what personal data they hold, why they hold it, who else has access to it, how long it has been held, and whether it is still needed.
  2. What grounds do you have for processing personal data? For the processing of non-sensitive personal data to be lawful, at least one of six conditions must be met. Trustees therefore need to decide the basis (or legal grounds) on which they process scheme member personal data. Where consent is used as a basis for processing members' personal data (e.g. where sensitive personal data is being processed), the procedures for obtaining consent should be reviewed and updated.
  3. Update your contracts Trustees will need to have a binding contract in place with any data processor whose services they engage, which will need to address a number of key points, including the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data involved, and the categories of individuals on whom it is held.
  4. Communicate with members The GDPR will introduce additional requirements affecting the provision of information to members. Trustees will need to issue revised information notices (also known as privacy notices). Where trustees are joint data controllers, for example with the scheme actuary, the trustees may wish to prepare a joint privacy notice
  5. Do members know their rights? Trustees need to tell members how their personal data is processed and ensure that members are fully aware of their rights in relation to the personal data that is held, such as the right to be forgotten and to have inaccurate personal data corrected. Trustees should ensure that their processes (and those of their advisers) are ready to deal with data requests from members
  6. Review your policy The trustees' data protection policy will be the main document for recording how they look after personal data in relation to their scheme, reflecting key decisions taken and procedures put in place to meet GDPR requirements. The content and structure will vary, but should aim to cover certain points as a minimum in line with record keeping requirements.
  7. Do you need a data protection officer? Both data controllers and processors will need to appoint a data protection officer (DPO) in certain circumstances, such as where their core activities involve "regular and systematic monitoring of data subjects on a large scale", or consist of large scale processing of sensitive personal data. Whilst it's unlikely that occupational scheme trustees will need to appoint a DPO, all schemes should assess whether they need one with input from their legal advisers and document their conclusions
  8. Understand your role Key to GDPR compliance is ensuring you understand what is required under the new rules. Talk to your legal advisers about how they can help.
  9. Be ready to demonstrate compliance A new principle of accountability requires data controllers to be responsible for, and demonstrate compliance with, the data protection principles. Trustees should become familiar with the steps needed to fulfil their obligations
  10. How well protected are you? Trustees should check what protections may be available to them in the event of any regulatory fines from the ICO or compensation claims from individuals arising from a data protection breach. As not all trustee insurance policies will cover such claims, it is important trustees check with their legal advisers the extent of any cover.

Related Topics

More on Law and Regulation

Court adjourns proceedings against former sports centre director
Law and Regulation

Court adjourns proceedings against former sports centre director

TPR prosecution against former director of 1066 Target Sports adjourned for ten weeks

Martin Richmond
Martin Richmond
clock 16 April 2024 • 1 min read
Rory Murphy: The case for a permanent pensions commission
Law and Regulation

Rory Murphy: The case for a permanent pensions commission

Setting up an ongoing vehicle for reviewing the retirement savings landscape

Rory Murphy
clock 15 April 2024 • 4 min read
LTA abolition: What do schemes need to know?
Law and Regulation

LTA abolition: What do schemes need to know?

Communication, member protections and transfers just some of the aspects to prioritise

Jasmine Urquhart
Jasmine Urquhart
clock 15 April 2024 • 6 min read
Most read
01

PPF could play 'crucial' role as public consolidator but some 'not convinced on merits'

18 April 2024 • 7 min read
02

Rising Star Awards 2024: Nominations open!

18 April 2024 • 2 min read
03

Industry welcomes proposals to grant DB schemes easier access to surpluses

18 April 2024 • 7 min read
04

The Pensions Dashboards Programme – Will it succeed?

17 April 2024 • 5 min read
05

Stories of the week: People's Partnership; Brightwell; Epson buy-in

12 April 2024 • 1 min read
06

PDP announces staff shake up as Chris Curry changes role

17 April 2024 • 1 min read
Trustpilot