I am going to supress the urge to put a pirate theme on this blog, based on the title.
The General Data Protection Regulation (GDPR) is a current “hot topic” on the pension scheme Trustee agenda. The key reason being that people have left it quite late to think about it, and in some scenarios a lot of work might need to be done.
This isn’t a technical blog, if you want the basics, there is plenty (and I mean plenty) of information out in cyber space both general and pensions industry specific. This blog is a quick tip guide, so please excuse the brevity.
Firstly, as a professional trustee I get to see a lot of technical notes on the same subject. There is a huge breadth of views which range from GDPR being a minor extension to Data Protection laws, all the way to the sky falling down and you must spend considerably to build a roof over your head or the Scheme will be crushed. The correct answer, as it usually is, is probably somewhere in the middle. How skewed to the extremes will depend on how good your processes were to begin with.
My key GDPR tips are:
- Shop Around – there are differing opinions on GDPR and some advisers are far more prepared than others. There is also a huge price disparity, and you should ensure value rather than just going with incumbents.
- Speak to Your Sponsor – the sponsor will almost certainly have a GDPR officer, or someone tasked with reviewing their own processes. Working together can share costs and bring buy-in from the sponsor.
- Don’t Pay for Others’ Compliance – your pension scheme advisers must comply with GDPR to continue to trade. The Scheme should not pay its advisers for non scheme specific compliance measures that they are otherwise legally required to implement in order to continue to operate as data processors or data controllers. There is a difference between getting their ship in order, and value added consultancy. Make sure you check costs are for the latter only.
- Get Started – regardless of your pension scheme’s positon, you will undoubtedly have some work to do. If you don’t start to assess the scope and scale of your compliance project, you may find out you don’t have the time to get key tasks done ahead of the GDPR enforcement date of May 25th next year.
From initial data mapping to documenting processes, policies and procedures, GDPR should not be rocket science. It is common sense application of data privacy principles that I think we can all relate to and understand. That is not to say it can’t be labour intensive and take a lot of time. That is why we need to get moving with the assessment and implementation process.
I managed to get the word ship and mapping in, so I didn’t fully avoid the pirate theme. My apologies. Shiver me timbers.
For more information or to discuss the content of the blog please get in touch.