For national General Data Protection Regulation guidance and information on specific requirements for organisations, please visit the Government website.
How will the GDPR affect scheme members?
Peninsula Pensions and Devon County Council already have procedures in place which comply with similar data protection principles under the Data Protection Act 1998. The new regulations will reinforce these existing requirements, and members are unlikely to notice a change in the service they receive from us.
How will members know that Peninsula Pensions is GDPR compliant?
We are required to have a privacy notice in line with the new requirements setting out, among other things, why certain data is held, the reason for processing the data, who we share the data with and the period for which the data will be retained. Within the notice, members will also be provided with additional information about their rights under the legislation.
Why does Peninsula Pensions hold personal data?
We require various pieces of personal data provided by both the individual member and their employer in order to administer the pension scheme. This data includes, but is not limited to, names, addresses, National Insurance numbers and salary details which are required to maintain scheme records and calculate member benefits.
Who do we share personal data with?
On occasion, we are required to share personal data with third parties in order to meet regulatory and government requirements, to gather necessary information for the accurate payment of member benefits and to ensure scheme liabilities are met. All administrators privacy notices will set out who they share data with; this is likely to include bodies such as scheme employers, fund actuaries, auditors and HMRC.
Can members ask for their data to be deleted?
The GDPR provides individuals with the ‘right to be forgotten’ in certain limited circumstances. However, in practical terms the exercise of this right in relation to your pension scheme membership is limited as the deletion of data can prevent the fund from carrying out its duties. Peninsula Pensions is required to process personal data to comply with legal obligations under pension legislation, therefore, the ‘right to be forgotten’ is unlikely to apply to data held by us.
What happens if there is a data breach?
Data breaches are a rare occurrence within Peninsula Pensions. However, should a security breach concerning a member’s personal data occur that is likely to result in a risk to that member’s rights and freedoms, there will be a direct obligation under the GDPR for us to ensure that the Information Commissioners Office is informed within 72 hours of the breach taking place.