GDPR and Your Company Pension Scheme

By Paul King, Acuvest


A new landmark law will be introduced in May which will change the way companies process private information on individuals. For trustees of a pension scheme, these changes are of relevance. Paul King, Acuvest’s Business Development and Client Manager, explains all on the new General Data Protection Regulation (GDPR).

The European Union is on the cusp of introducing the most significant change in data privacy regulation in its history. With just four months to get familiar with the new General Data Protection Regulation (GDPR), the EU has a dedicated website to the legislation complete with a countdown clock. At the time of writing, Irish companies have just 105 days, nine hours and 55 minutes to get GDPR ready.

The website is a great first port of call to get a grip of the basics of GDPR. The enforcement date is the 25th of May 2018, and the EU warn that hefty fines may follow any companies who are non-compliant.


What is GDPR exactly and why is it of interest in 2018?

Data privacy is at the centre of these new laws. By that, we mean everything and anything that relates to how an individual’s personal and private information is held by a company, whether that’s a client database in a large multi-conglomerate or the group pension scheme of an organisation.

According to the EU, the new law was designed “to protect and empower all EU citizens data privacy and to reshape the organisations across the region approach data privacy”. The onus is on those who possess and process data on individuals to understand their new strict levels of compliance.

A key requirement for certain companies under the rules is the appointment of an in-house Data Protection Officer. That person’s role will be to ensure all data held on individuals complies with the legislation that determines how data is collected and used, its accuracy and security measures employed when processing that data. Those in breach may be liable for up to €20m in fines or four per cent of global turnover.


The penalties for non-compliance are frightening, so how do I ensure I am compliant?

The EU aren’t setting out to catch out businesses, but the penalties are reflective of just how serious data protection and an individual’s right to privacy is.

Data controllers, the people who charged with handling personal data within a company – and company pension scheme – will take responsibility for how this information is collected, stored and used.

There are some very simple rules to follow, namely that all personal and sensitive data must be:

  • Collected for specific and legitimate purposes;
  • Fully secured and protected;
  • Sufficient for the purposed it was collected;
  • Accurate and up-to-date;
  • Processed for the purpose it was collected and only for that purpose;
  • Not retained any longer than necessary;
  • Must be transparent in showing why this data is being held;
  • Held with consent.


That sounds reasonable and fair so how will a company monitor these instructions?

The person charged with managing data within a company or group pension scheme must ensure that the new regulations are kept in check to ensure compliance. There must be proof that the laws are being taken seriously and that regular updates are filed to maintain essential data privacy rules. Efforts must be made to keep the Data Protection Commissioner informed of best work practice on the possession and processing of data.


I’m a pension Trustee, so what do I need to do to make sure our scheme is GDPR compliant?

It’s a great question for those charged with overseeing pension schemes and the privacy of members of those plans. Trustees are responsible for compliance with the new regulations and should show how they are dealing with the personal data relevant to that scheme.

Another important point to note is that the same responsibility applies to third parties on same and this includes administrators, employers, investment companies and risk insurers. Because of this, Trustees should try and get confirmation from the relevant third parties that they are demonstrating and keeping compliance with the pending regulations. One way to do this is to review all relevant contractual arrangements with third parties.

A checklist could be prepared in advance of the new laws, to include;

  • Trustee Liability Insurance – ensure the policy is extended to include obligations in respect of GDPR;
  • Upskilling – to allow the relevant personnel charged with processing personal data to get the right information on GDPR, an information leaflet based on the new laws should be distributed among all Trustees and appropriate parties;
  • Practice makes perfect – GDPR is on its way to stay so this isn’t a one-off exercise for an initial understanding of the basics. Ensure that GDPR compliance is added to the risk register so that all the demands within the regulation are upheld and updated accordingly;
  • A good starting point for all is in the EU’s GDPR specific website –