We See More - Data Quality at the heart of GDPR

Data Quality At The Heart Of GDPR

22 June 2018

By Adam Green, Chief Risk Officer at Equiniti

The arrival of the General Data Protection Regulation (GDPR) is a wake-up call for all those processing pensions and working with data in the pensions arena. 

Trustees, administrators, sponsors – the data controller – must now demonstrate they are compliant, while trustees must ensure their own data processors are also up to speed with the new rules and able to demonstrate their own compliance.

Everything you do for the scheme is based on data – it is the lifeblood of all processes. The way schemes view data can often parallel the way most of us look after our physical wellbeing – we do what we can, but there’s always room for improvement.

Raising the quality of your data is not only useful for de-risking exercises. Better data means cleaner admin and that saves money in the long term.

If you would like to discuss the quality of your data, talk to one of our team today

Adam Green 480X320px Adam Green Chief Risk Officer at Equiniti

We have become accustomed to a continual growth in the scale and retention of data, almost as if there’s no such thing as ‘too much data’. GDPR is swiftly changing that outlook. If you can’t clearly state a use for it, then don’t collect or save it. This is not only from the point of view of efficiency, but it becomes a potential risk as it works against the regulatory objective of ‘data minimisation’ and possibly the lawful basis for processing.

Naturally, you will need to record data that relates to benefits, possibly for many decades, but if it doesn’t need to be saved for the operation of the scheme, or a regulatory reason, consider whether you have a basis to record it at all.

Beyond the data itself, trustees can no longer rely upon any form ‘implied agreement’ from their members for holding it. Exclusions allow for processing of data for the necessary running of the scheme, but trustees must be sure of their position for other data or usage. 

If it isn’t to comply with obligations under legislation (or the Trust Deed and Rules and legislation) “for the purposes of legitimate interests pursued by the controller”, or a third party, then you should be asking yourself why you still have it. 

However, here the issue of legacy raises its head. Far too many schemes hold data they have no use for, and getting it wrong may prove expensive. Data breaches attract a greater legal liability than before, with the maximum fines being €20 million or 4% of group annual global turnover, whichever is higher. Whilst these numbers have made headlines the more notable costs may well effect the cost of remediation and restitution, which in other regulatory regimes can far exceed the fines.   

The Information Commissioner’s Office (ICO) has set out that it would only look to material fines for the worst levels of compliance, but it will seek to take action for a range of compliance issues. Their guidance has been that they will be understanding if they see an organisation has been making genuine efforts to move older issues forward.   

A notable point to consider is that unambiguous individual consent may be required for ‘special’ information (also known as ‘sensitive’) – such as medical data gathered for determinations on ill health early retirement cases – and processes should be discussed with scheme advisers as to how to make them watertight in order to protect both the scheme and the member.

GDPR requires data protocols and processes to be appropriate and fit for purpose. This means all data processors and controllers must review their data handling on a regular basis to ensure they remain compliant.


Now is the ideal time to consider if you are completely comfortable with your data processes and knowledge of your underlying data quality.

If you need assistance, or just peace of mind that your data is the quality it should be speak to one of our experts today by completing the form below: