Pensions - Articles - Time to focus on data breach response plans

 Daniel Taylor, Director at Trafalgar House, said: “With such dramatic build up, GDPR has been somewhat anticlimactic since its implementation. However, its real value can already be seen, as it encourages more trustees to feel genuinely accountable for data for the first time. Crucially though, increased action must go hand in hand and response plans are far more important for members than general GDPR policy - but few schemes have actually begun work on them, because they often simply don’t know where to start.

 “Like so much around GDPR, data breach response plans can be overcomplicated, so for many trustees it’s about breaking things down into distinct actions. If done correctly, a response plan needn’t be merely a tick box exercise but can also allow schemes to take a proactive approach to protecting member data. It allows schemes to deal quickly and efficiently with breaches that occur and to prevent them in the first place. A good place to start is to agree the following:

 1. Definitions and explanations of what a breach is
 2. A decision framework for who decides what needs to be escalated, and when
 3. Potential strategies for containing and remedying breaches, both hypothetical and model
 4. A strong communication plan
 5. Details of how a breach should be recorded and followed up after the event to identify root cause

 “Trustees cannot avoid putting these plans off - as with most things, delay makes the process no easier and could even put member data at risk. Data breach response plans needn’t be cumbersome, but they can involve complex processes and difficult decisions, so trustees would be naive to think it is something that can be done in the spur of the moment.”