GDPR six months on - what remains for trustees to do

Image of african american businessman working on his laptop. Handsome young man at his desk.
  • GDPR came into force in May this year, but much remains to be done
  • Particular focus is needed around contractual terms and subject access requests
  • Record keeping and personal data breaches are also areas that need attention

GDPR introduced significant new obligations on schemes. Six months on, Oliver Topping looks at the areas trustees are still grappling with.

The General Data Protection Regulation (GDPR) raised the data protection stakes for all UK businesses - as well as the trustees of occupational pension schemes - by introducing new obligations on both data controllers and processors.

But 25 May 2018 was merely the starting line for the new requirements, with careful monitoring needed to ensure continued compliance - and trustees are still grappling with a number of issues. Key areas they need to focus on going into 2019 include:

  • Compliant contractual terms: As data controllers, trustees need to have a binding contract in place that is GDPR compliant with any data processor whose services they engage. Finalising contracts should be a priority for trustees as unagreed terms pose certain risks, including potential sanctions from the Information Commissioner's Office (ICO).
  • Subject access requests: While a number of new rights for individuals whose personal data is being processed were introduced under the GDPR, having been overhauled by the legislation, a subject access request is a pre-existing right that has gained more traction since May.
    Data subject access requests are powerful tools which individuals can use to gain access to the personal data being held about them and, perhaps unsurprisingly, the volume of requests has spiralled in the last six months. It is therefore essential that trustees have a process in place for dealing with such requests  - which may involve checking that the individual is who they say they are, clarifying what information and level of detail is sought, as well as considering how best to present it). Key providers, such as scheme administrators, should also be under a contractual obligation to provide assistance here.

  • Record keeping: In the run-up to 25 May 2018, schemes and their providers were busy carrying out audits to establish what personal data they held, why they held it, who else had access to it, how long it had been held, and whether it was still needed. As the GDPR requires all controllers and processors to maintain a processing record, trustees should check that the prescribed information has been pulled together for this purpose. The personal data audit will provide a platform for this but, given the sheer volume of personal data held by schemes, this is proving a challenging area. The scheme administrators will once again play an essential role, given that much of the processing of pension scheme personal data is carried out by them.

  • Personal data breaches: No matter how many carefully crafted policies, procedures and systems are in place to protect personal data, things can go wrong. Personal data breaches can occur for any number of reasons, including computer viruses and malware, hacking, loss of portable devices, and genuine human error.
    Depending on the level of risk to the individual, a controller may have to record the personal data breach, report it to the ICO, or report it to both the ICO and the individual concerned. A data controller is required to report a serious personal data breach to the ICO within 72 hours, where feasible.
    The key is for there to be a policy in place recognising the risks and setting out a clear process to allow personal data breaches to be addressed promptly and to be reported to the ICO within the required timescales.


This article was written by Oliver Topping from Professional Pensions and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to