Global menu

Our global pages


Data Protection - trustees need to take action

  • United Kingdom
  • Pensions - Investment
  • Privacy, data protection and cybersecurity
  • Privacy, data protection and cybersecurity - GDPR


The European General Data Protection Regulation (GDPR) will come into force on 25 May 2018.  This gives trustees one year to consider what they need to do to comply with the new requirements. There may also be implications for employers where trustees don’t comply and where they handle member data themselves.

There’s a lot that needs to be done and some of it will take a while.  This means that trustees need to start thinking about compliance now. 

Why is data protection relevant to trustees?

Trustees need to use personal information about members to calculate and pay pension benefits.  This makes them “data controllers” for the purposes of both new and existing data protection requirements.

As data controllers, trustees already have significant obligations in relation to member data.  These include ensuring that: the data is processed fairly and lawfully; members are given certain information about what is being done with their data; and that it is held securely. 

Trustees will also generally need to have registered as a data controller with the Information Commissioner’s Office (ICO).

What is changing? 

Once the GDPR comes into force, a lot will still look the same. Trustees will still be data controllers and they will still need to ensure that member data is processed fairly and lawfully.

However, whilst the principles remain similar, a lot of practical requirements are changing.  Trustees will need to ensure that they have appropriate internal policies and processes in place to comply with the large volume of new requirements.

Where third parties such as administrators process data on the trustees’ behalf, agreements with them will need to be reviewed to ensure that there are provisions dealing with security, confidentiality and the return or destruction of the data at the end of the contract.

In addition, members will need to be given more information, including for how long trustees intend to hold their data and the legal basis for which it is being used. 

There are also changes to the mechanics of complying with requests from members to be told what information is held about them and for notifying breaches to the ICO.

Finally, the penalties for non-compliance with the data protection requirements will increase considerably.  The ICO can currently impose sanctions of up to £500,000.  Under the GDPR, this will rise to €20 million or 4% or annual global turnover – whichever is greater.  Although it is highly unlikely in practice that trustees would ever face fines of anything approaching this magnitude, it does illustrate the importance of compliance. 

What next?

If trustees have not already done so, data protection needs to be put on the agenda for an up-coming trustees’ meeting. 

Trustees need to identify what information they hold, who processes it on their behalf and the legal basis on which this data is being processed.  They also need to have copies of their agreements with all third party data processors so they can start the process of reviewing them.

There is a lot to do over the next 12 months and some of it will take a while.  Trustees should put an action plan in place to ensure they have identified everything they need to do and have enough time to do it.

We can help with this.