With large fines, reputational damage and costly remediation and restitution, the stakes are high. Regardless of that, running your scheme with the right data will make it more accurate, more efficient and save you money in the long-term. So, is your data fit for purpose? And how will you keep it that way? Here are six key questions to ask in order to ensure your data is in tip-top condition now and for the future.
1. Are you storing data you don’t need to?
GDPR is about data minimisation, so if you can’t clearly state a use for it, then don’t collect or save it. Of course, you need to record benefits data but if it doesn’t need to be saved for the operation of the scheme, or a regulatory reason, ask whether you have a basis to record it. As an added bonus, cutting down the data you collect helps your processes become more efficient.
2. Have you got explicit agreement?
You cannot rely on ‘implied agreement’ from members for holding any information unless it is necessary for the running of the scheme.
3. Can you demonstrate you have tried to follow the rules?
Data controllers like trustees, administrators and sponsors must now demonstrate they are compliant. Trustees must also ensure their data processors are up to speed with the new rules and able to demonstrate their own compliance.
The Information Commissioner’s Office (ICO) has said it will be understanding if an organisation has made genuine efforts to address legacy data issues.
4. Are you treating sensitive data carefully?
Unambiguous individual consent is particularly called for when it comes to dealing with sensitive information, such as medical data gathered for ill health early retirement cases. Discuss these processes with your scheme advisers.
5. Are you completely comfortable with your data processes and knowledge of your underlying data quality?
With so much at stake, trustees need to be 100% confident they have the processes in place to meet the spirit of the GDPR rules. If you are not, get independent help to review what you’re doing and advise how it can be brought in line with the rest of the industry.
6. Are you seeing this as a new way of working?
GDPR requires data processors and controllers to review their data handling on a regular basis to ensure they remain compliant, so trustees need to build data compliance into their everyday ways of working and not just check-in sporadically.
Getting data processes into shape isn’t a one-off exercise: it’s an ongoing programme of adjustments and improvements.