In just over two weeks’ time, on the 25th May 2018, the General Data Protection Regulation (GDPR) will come into effect in the UK. For trustees, it’s time to make sure you’re fully prepared for the changes this legislation will enforce.

 

But what are the biggest issues you need to be aware of – and how should you tackle them? Here is the Pension Fund Insider guide to what trustees need to know about GDPR.

 

 

The GDPR is replacing the Data Protection Act, which had previously been in place for 20 years.

 

And while some aspects of the GDPR are similar to what the original act set out – for example, the six protection principles for data processing – there are also some significant changes that trustees need to be aware of.

 

Perhaps the biggest of these, says Rebecca Cooke, consultant at Wrigleys Solicitors LLP, is to do with consent. 

 

“Obtaining consent to processing personal and personal sensitive data will become much more difficult, and existing consent provisions may not be sufficient for GDPR purposes,” she says.

 

This means trustees might need to find an alternative basis for processing data, such as on a ‘legitimate interests’ basis, she explains. “However, in order to comply with this, members will need to be provided with detailed privacy notices,” she adds.

 

 

Another big change is the introduction of the accountability principle, which means trustees must clearly show that they are complying with the GDPR.

 

That means it’s vital you have appropriate documentation and policies in place – and if you haven’t yet, this is something to do urgently.

.

 

Trustees will need to clearly identify all the organisations that are processing their data – and understand how this data moves between them. You’ll also need to be clear on exactly how they will keep personal data safe and secure.

 

While some of these flows of data, such as between sponsors or administrators and trustees, are easier to identify, others are trickier.

 

“What about the printers who print and distribute member newsletters?” says Helen Nicholas, associate director at global advisory firm Willis Towers Watson. “What about former trustees, who no longer receive data but may have copies of old trustee meeting packs or papers saved on their computer or sitting in their loft?”

 

 

In general, trustees will decide whether to report on a data breach on a case-by-case basis. But when the breach is serious, and there’s a serious risk of rights being breached, the members concerned must know about it within 72 hours. 

 

Remember: data breaches include accidental, as well as intentional incidents. And, if things do go seriously wrong, for the most serious breaches the penalties are being increased up to €20m, or for commercial entities whichever is higher out of €20m or 4% of global turnover.

.

 

Here are the five biggest things trustees must do in order to be GDPR compliant:

1.    Send members and beneficiaries a notice explaining their rights under the new regulations

2.    Carry out an audit to find out exactly what data your scheme is holding, where it has come from and who it has been shared with

3.    Make sure you have GDPR-compliant agreements in place with all organisations and parties that process your data

4.    Create an internal data protection policy so that you can show you are knowledgeable and accountable on data issues

5.    Put in place an ongoing process to make sure your protocols remain up-to-date and relevant in the future.

                                      

 

Nikki Allen.