Data protection


The General Data Protection Regulation (GDPR) and Data Protection Act 2018 have now been in force for over a year. We offer specialist support to trustees and sponsoring employers to give guidance on meeting their ongoing obligations.

Whilst many of the GDPR’s requirements are similar to previous data protection provisions, the new rules strengthened data protection requirements. In the interests of transparency, there is now a significant amount of information that needs to be given to individuals at key stages, with greater reporting obligations in the event of a breach and heavier sanctions for non-compliance.

The Data Protection Act 2018 incorporated GDPR into UK law and at the same time replicated and updated the Data Protection Act 1998.

Our unique position at the heart of the pensions industry means we can provide commercial advice on how the new data protection laws apply in a pensions context and what practical steps need to be taken to ensure continued compliance.

How we can help

  • identifying the questions to ask when auditing (or “mapping”) scheme personal data
  • reviewing existing or new contracts
  • considering the policies and procedures that may need to be put in place or updated
  • communicating with members
  • reconciling data protection compliance with the other obligations and responsibilities that apply to pension schemes.

Recent experience

  • Helping trustees to put in place a tailored project plan to prepare for the GDPR
  • Reviewing the protections in place for trustees in the context of the higher sanctions under the GDPR
  • Drafting or updating GDPR-compliant privacy notices for trustees for inclusion in their annual newsletter
  • Drafting GDPR-compliant contractual clauses for contracts between trustees (as data controllers) and service providers (as data processors)
  • Advising trustees on reviewing their consent process and wording in light of the more stringent requirements under the GDPR
  • Advising employers on data-sharing arrangements in place with the trustees of its occupational pension scheme
  • Assisting with joining up the approach the employer has towards compliance and risk management with running a pension scheme.

Please see our GDPR terms explained page, which has key definitions relating to data protection.