This is the GDPR update from our Pensions Group,which summarises some practical aspects of where GDPR processes for pension schemes are at one year on.
In the period since 25 May 2018, there have been a number of minor breaches involving pension schemes which have generally been closed without further action by the Data Protection Commission. The Data Protection Commission's office has a specifically appointed person in charge of the pensions industry and is aware that pension schemes hold and control significant amounts of personal data. It has become clear that carrying out a dry run of the breach procedure and incident response plan is a worthwhile exercise for trustees.
Many schemes have not yet been able to complete finalising GDPR terms and conditions with all of their third party providers due to the complexity of the interaction between investment platforms, administrators, sponsoring employers and trustees. This means that designing a practical data breach procedure which involves all of these four parties and their respective different security protocols can be a challenging exercise.
The attached update indicates some of the things that have worked so far and some of the things that have not and what the next steps for trustees are with regard to GDPR compliance.
To view the full article please click here.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.