Data protection


The General Data Protection Regulation (GDPR) and Data Protection Act 2018 came into force on 25 May 2018. We offer specialist support to trustees and sponsoring employers to give guidance on this major change.

Whilst many of the GDPR’s requirements are similar to previous data protection provisions, the new rules strengthen data protection requirements. The amount of information that needs to be given to individuals has increased, reporting obligations in the event of a breach are greater and heavier sanctions have been imposed for non-compliance.

The Data Protection Act 2018 is brings the GDPR into UK law and at the same time replicates and updates the Data Protection Act 1998.

Our unique position at the heart of the pensions industry means we can provide commercial advice on how the new data protection laws apply in a pensions context and what practical steps need to be taken.

How we can help

  • identifying the questions to ask when auditing (or “mapping”) scheme personal data
  • reviewing existing or new contracts
  • considering the policies and procedures that may need to be put in place or updated
  • communicating with members
  • reconciling data protection compliance with the other obligations and responsibilities that apply to pension schemes.

Recent experience

  • Helping trustees to put in place a tailored project plan to prepare for the GDPR
  • Reviewing the protections in place for trustees in the context of the higher sanctions under the GDPR
  • Drafting GDPR-compliant privacy notices for trustees for inclusion in their annual newsletter
  • Drafting GDPR-compliant contractual clauses for contracts between trustees (as data controllers) and service providers (as data processors)
  • Advising trustees on reviewing their consent process and wording in light of the more stringent requirements under the GDPR
  • Advising employers on data-sharing arrangements in place with the trustees of its occupational pension scheme
  • Assisting with joining up the approach the employer has towards compliance and risk management with running a pension scheme.

Please see our GDPR terms explained page, which has key definitions relating to data protection.