Website Cookie Policy

We use cookies to give you the best possible online experience. If you continue, we’ll assume you are happy for your web browser to receive all cookies from our website.
See our cookie policy for more information.

Practice Areas

More Information

Leeds: 0113 244 6100

Sheffield: 0114 267 5588


GDPR – Practical guidance for pension trustees

June 2017

Data protection is changing significantly from 25 May 2018. We explore the changes to the law and suggest our 'Top 6 Actions for Pension Trustees'.

The current legislation (Data Protection Act 1998 (DPA)) has been in place nearly 20 years and from next year will be replaced by the General Data Protection Regulations (GDPR).  This is one matter which will not be shunted into the sidings with Brexit and full compliance will be required from day one.

So, with the starting gun fired what does this mean for pensions?

Let's start by looking at what the GDPR is? 
The GDPR replaces the DPA.  It applies to all EU member states and provides a single EU legal framework for the processing of individuals' data.  In addition (and unlike the existing legislation), it now recognises the technological advances of recent years and strengthens individuals' fundamental data protection rights.  In other words it is 'DPA plus'.

Is it all change from the DPA?
No, some aspects are retained. For example, there will still be the fundamental concepts of:-

  • data controller and processor but note that, for the first time, data processors will be liable for breaches of data protection legislation so that in many respects they will be treated in the same way as data controllers and subject to the same compliance requirements.  
  • personal and sensitive personal data although in both cases the definitions have been widened; and
  • processing in accordance with six data protection principles which look very similar to those under the DPA.

            So far, so good.    So what IS so different then? 

Put very simply, quite a lot when you start to look at how it will operate on the ground. With pensions in mind, some significant changes are as follows.

1. Personal and sensitive personal data must be processed in accordance with certain set conditions. Yes, there are similar provisions under the DPA and so there is some overlap with the current data protection requirements.  The devil is in the detail though and when you start to drill down into each requirement you see that there are some significant differences.

2. The most pertinent change for pension schemes is probably that to do with the concept of consent.  By way of reminder data processing may only occur after an appropriate legal basis for processing has been identified.  The consent of the data subject to data processing is one such legal basis.  Obtaining consent to processing personal and personal sensitive data will become much more difficult.  Existing consent provisions may not be sufficient for GDPR purposes.  It's also important to note that members have the right to withdraw consent at any time (part of the "right to be forgotten" provisions).  This could have significant operational implications for pension schemes.

3. So, if trustees don't want to (or can't) rely on consent, is there another legal basis for data processing?  Probably for pension schemes the obvious choice would be "the legitimate interests" basis, i.e. where data processing is necessary for the purposes of legitimate interests pursued by the data controller.  However, in order to comply with this, members will need to be provided with detailed privacy notices.  It's probably the case that most privacy notices at present will need to be updated to comply with the GDPR.

4. Trustees will need to review contracts with data processors (including scheme administrators) to ensure these are GDPR compliant.  This is likely to require the imposition of new terms detailing the more extensive obligations.  As a quid pro quo (and mindful of their own potential liability for breach of the GDPR), we expect data processors to seek additional indemnities from trustees.

5. And what if things do go wrong?  The time frame for the notification of data breaches will become more onerous.  Any breach will need to be notified to the Information Commission Officer without undue delay and where feasible within 72 hours of becoming aware of the breach.
And if things go really wrong then for the most serious breaches the penalties are being increased up to 20 million euros (or for commercial entities the higher of 20 million euros or 4% of global turnover).




If you would like to discuss any aspect of this article further, please contact Rebecca Cooke or your usual contact in the pensions team on 0113 244 6100.

You can also keep up to date by following Wrigleys Pensions team on Twitter here

The information in this article is necessarily of a general nature. Specific advice should be sought for specific situations. If you have any queries or need any legal advice please feel free to contact Wrigleys Solicitors



Rebecca Cooke View Biography

Rebecca Cooke


Strong and stable: ignore the spin, the substance still matters

Strong and stable might no longer be a fashionable phrase, but that's exactly what good governance of academy trusts is all about.

Click here to view more

Modern slavery statements and the academy trust

With victims of modern slavery in England likely to number over 10,000, we consider supply chain transparency requirements for academy trusts.

Click here to view more

Community-led housing: Lancaster gathering

Interested in community-led housing? Join us on Saturday 4 November at the Friend's Meeting House in Lancaster.

Click here to view more

Philanthropy Impact - The role of professional advisers, philanthropists...

Date: 07 Nov 2017


Speaker: Fran Hegyi, Executive Director, Hull UK City of Culture 2017; Andrew Dixon, Director, Culture Creativity Place, Bid adviser Leeds 2023; Other speakers TBC

Further information and booking

Schools Breakfast Club: Preparing for GDPR in Schools - 14th November

Date: 14 Nov 2017

Venue: Wrigleys Solicitors, 19 Cookridge Street, Leeds

Speaker: Ibrahim Hassan, solicitor and director of Act Now Training Limited

Further information

Community ownership of land and buildings: lessons and policy implications Scotland & the North

Date: 16 Nov 2017

Venue: Radisson Blu, Leeds

Further information

Mailing list

Receive the latest news, events and updates from Wrigleys:

Follow Wrigleys: