Special category personal data on matters such as health or sexual orientation has much stricter rules. A member might willingly consent to sharing data in the process of an ill health early retirement case. However, an expression of wish form could present a banana skin because it may for the first time record an individual’s sexual orientation. If you’ve not covered this off it’s a potential risk the scheme doesn’t need.
Belt and braces
With many more schemes approaching maturity, de-risking exercises are more common and this also presents dangers.
Knowing which data to hold in what format is just a part of the conundrum. Deciding what should be erased and when is an equally thorny subject.
The various regulatory regimes that impact pension schemes require data to be held for anywhere between a minimum six years and many decades. Equally, a claim may be made many years – even decades – after a member has left the scheme.
It is therefore essential to focus on the data that is not necessary to fulfil administrative, regulatory or potential litigation scenarios. You cannot keep data just because it may be useful one day. You must ensure you have a basis for processing to ensure you are able to use it in the future.
The deletion of data requires careful thought and planning. Individuals have the right to request you consider erasing their data. However, what items may be in scope for erasure depend on your basis for processing. It’s important to develop a view on the scope of retention as well as the duration before a request is received.
Who’s in charge?
The regulations don’t require all organisations to appoint a data protection officer (DPO). However, GDPR breaches might happen due to a lapse in administrative rigour – and it can happen to the best of us. Having a single point of responsibility for GDPR should provide schemes with greater understanding and control over their processes, and therefore their compliance with it.
Creating a living process to manage data requirements and relationships with administrators is likely to be a more valuable risk management measure than completion of an assessment form once a year.
Here to help
Those who help you process your data will be able to give you advice on how to keep on top of your GDPR compliance.