We See More - How Do Schemes Adapt?
how do schemes adapt hero.jpg

How Do Schemes Adapt?

23 July 2018

by Adam Green, Chief Risk Officer at Equiniti

You’ve made it through GDPR-Day, but don’t think that is the end of the matter. Like auto enrolment (AE), GDPR imposes a new regime on schemes that requires regular review to ensure you remain compliant.

Adam Green.jpg

Now is when it starts getting tricky, as that structure has to operate in the real world and you will be charged with making sure it doesn’t get stretched to breaking point.

Ever shifting landscape

It may appear that where individuals have given their consent, there are no grey areas. Yet, things change in members’ lives and this affects the data you hold about them. Even if you have consent now, will you have consent in the future and will it always be appropriate?

Special category personal data on matters such as health or sexual orientation has much stricter rules. A member might willingly consent to sharing data in the process of an ill health early retirement case. However, an expression of wish form could present a banana skin because it may for the first time record an individual’s sexual orientation. If you’ve not covered this off it’s a potential risk the scheme doesn’t need.

Belt and braces

With many more schemes approaching maturity, de-risking exercises are more common and this also presents dangers.

Don’t assume that anonymised or pseudo-anonymised data is automatically acceptable or that your privacy notice and any blanket consent form issued when GDPR was ushered in provides a lawful basis for processing.

You should explain to members when their personal data will be used for reasons that would not be immediately obvious to them, which can include anonymisation and the sharing of data with third parties. Data sharing agreements are necessary for any third party where the individual is still identifiable which can include pseudo-anonymization where ‘back working’ is possible, and should be covered by your privacy policy.

Knowing which data to hold in what format is just a part of the conundrum. Deciding what should be erased and when is an equally thorny subject.

The deletion of data requires careful thought and planning.

The various regulatory regimes that impact pension schemes require data to be held for anywhere between a minimum six years and many decades. Equally, a claim may be made many years – even decades – after a member has left the scheme.

It is therefore essential to focus on the data that is not necessary to fulfil administrative, regulatory or potential litigation scenarios. You cannot keep data just because it may be useful one day. You must ensure you have a basis for processing to ensure you are able to use it in the future.

The deletion of data requires careful thought and planning. Individuals have the right to request you consider erasing their data. However, what items may be in scope for erasure depend on your basis for processing. It’s important to develop a view on the scope of retention as well as the duration before a request is received.

Who’s in charge?

The regulations don’t require all organisations to appoint a data protection officer (DPO). However, GDPR breaches might happen due to a lapse in administrative rigour – and it can happen to the best of us. Having a single point of responsibility for GDPR should provide schemes with greater understanding and control over their processes, and therefore their compliance with it.

Creating a living process to manage data requirements and relationships with administrators is likely to be a more valuable risk management measure than completion of an assessment form once a year.

Here to help

Those who help you process your data will be able to give you advice on how to keep on top of your GDPR compliance.


If you would like further insight on how to assess your compliance, then please speak to one of our team of experts today by completing the form below:

We have detected that you are in United States. We think that Equiniti US would be more suited to deal with your needs.