In six months' time, pension scheme trustees will be responsible for ensuring their scheme complies with the new data protection regime under the General Data Protection Regulation (GDPR). Trustees who have not already started taking steps to get ready for GDPR should do so now as there may be more to do than first meets the eye and GDPR advisers are suffering from a capacity crunch. Answering the following 8 questions will help you to assess how much you have to do to ensure you are GDPR compliant.
- Do you know who holds your scheme data, where they hold it and what they are doing with it?
- Are you satisfied scheme data is properly protected?
- Do you have appropriate data protection/cyber-security policies and processes and do you know if they are being followed?
- Do you know the legal basis on which you are processing members' data, particularly sensitive data such as health information?
- Is your privacy notice GDPR-ready?
- Are you prepared to deal with a data breach?
- Are contracts with people who are processing scheme data for you GDPR compliant?
- Have you appointed a Data Protection Officer, or recorded the reasons why you don't need one?