It’s now less than a year until the new General Data Protection Regulation (GDPR) regulations come into force. Has your scheme started to prepare yet?

On 25 May 2018, new rules come into force that will affect the way that pension schemes, as well as their third party administrators and advisers, store and manage members’ personal data. The legislation contains some significant changes from current practices – and there are substantial fines for non-compliance. Here are five key steps to ensure your scheme is GDPR-ready.


Understand the scope of the legislation.

The requirements both for schemes and for the third parties that they work with could mean making significant changes to the way in which scheme data is managed and stored. Talk to your advisers or look for training to make sure you understand what is required from you and your scheme. “The new framework will drastically affect the future of stored personal data and increase company accountability. Pension schemes must make sure they are ready for what lies ahead and not get caught out,” says Steve Snaith, Technology Risk Assurance (TRA) Partner at consultants RSM.

Assess the data that you hold.

“Pension schemes hold vast amounts of sensitive member data which could be valuable to cybercriminals. It’s therefore vital that clear processes and safeguards are put in place to protect schemes and their members,” explains Snaith.

Pauline Sibbit, partner at pensions lawyers Sackers says that this should include assessing the personal data that your scheme holds “including looking at what is held, the reason or legal basis for holding it, and whether it is still needed”.

“Trustees must be sure that existing processes for obtaining [member] consent will make the GDPR grade,” she adds.

Talk to sponsors and third parties.

“Have an open discussion with the employer, who will be taking its owns steps to get ready,” advises Sibbit. “[Trustees] may be able to dovetail their own efforts with the employer’s.” As the legislation also covers third parties working with the scheme, it’s also essential to talk to administrators and advisers to understand how they are preparing.

Check your scheme documentation, contracts and member information.

Does your scheme have a data protection policy, and when was it last updated? It may need to be amended to meet the new requirements, or reflect changes the scheme has made as a result of GDPR. “Service provider contracts should be revisited and, most likely, updated to comply with GDPR requirements,” adds Sibbit. The same applies to member information. She suggests that details of the changes could be sent with other communications, such as an annual members’ report.

How would you meet a fine?

The fines for non-compliance are onerous. They could be as much as the higher of €20m, or 4 per cent of annual global turnover. While prevention is clearly the best course of action, considering what would happen if a provider breached the legislation and whether that is covered by contractual terms or existing insurance is still important.