Helen Baker, partner at Sackers, commented: “We’re now within two months of the GDPR coming into force and schemes need to prioritise tasks in the run-up. With significant penalties a possibility under the GDPR, the key is to be able to demonstrate that effort has been made to safeguard member data and to help people understand how to enforce their rights.
1) Privacy Notices – update yours: integral to the new regulations, this document informs individuals of the data you hold about them and where it’s being stored. Despite the high volume of information required, the privacy notice must still support transparency and fairness principles by making it abundantly clear how members enforce their rights. Trustees might want to consider layering information, by providing core information in a concise format and then sharing links to further material for those who wish to read more.
2) Communication – keep it consistent: the general principles of communicating with individuals are that you must be concise, transparent and intelligible. All information must be shared in clear, plain language and provided in an easily accessible form. Ultimately, trustees should ensure that all communications are helpful for the recipient.
3) Contracts with processors – refine them: many of the obligations under the GDPR depend on whether the party holding data is a processor or a controller, so roles must be clearly defined in a contract. Trustees are controllers and, as the ones who ‘own’ scheme personal data and decide what it’s used for, the buck stops with them. Trustees need to engage with all their providers to ensure that contractual terms are up to scratch.
4) Data protection policy – update it: the policy not only demonstrates that a scheme takes its GDPR compliance seriously but will reduce the overall risk of data breaches occurring – and help manage any that do occur. This is where to set out the procedures that have been put in place to safeguard member data, such as cyber security, and to reflect key decisions made by the trustees.”
Baker added: “In the main, the GDPR aims to give individuals a clearer idea of their rights and how to enforce them. Schemes will have to comply with far more stringent rules, but finding a balance between protecting members’ information and being proportionate will be essential.”
|