Written by: Tim Myatt
Publish Date: Apr 11, 2019
Read time: 8 minutes
Trustees and their scheme administrators, whether in-house or outsourced, cannot fail to have noticed that the General Data Protection Regulation (GDPR) is now in force.
But in our experience, while awareness is out there, appropriate action has not always been taken - and stakeholders run the risk of financial and reputational damage if they are unable to demonstrate at least a clear strategic plan towards compliance: organisations that are found to be non-compliant with the new GDPR run the risk of fines up to 4% of global turnover.
One of the biggest challenges facing Trustees, whether they are managing their own administration or have outsourced this to a third-party administrator (TPA), is that so much of their past member data is held in physical formats such as paper and microform (microfiche and microfilm) records, either on-site or off-site with a storage provider.
The key point is that physical archives can be huge and sprawling, difficult to manage and time-consuming to navigate. This causes problems when you consider two seminal principles of the GDPR:
- The need for an accurate view of personal data held by an organisation
- The need to be able to respond quickly to enquiries about personal data held on individuals, for example in response to subject access requests (SARs)
For more information, why not read what 12 steps your organisation should be taking now for GDPR in this useful infographic. Additionally, you can also read the following action plan for pension scheme trustees here.
The need for visible metadata
In one extreme case we investigated, a company had 13,000 boxes of documents stored in various locations across the UK. They did not have any information or metadata to tell them what was in the boxes and whether to start looking in box 1 or box 10,001 for a specific record or to check that they had permission from individuals to hold their data.
The solution in this scenario can vary, but without any available metadata will normally involve significant manual effort to lift the lid on every box and create a file-level inventory, securely destroy records that can no longer be retained under GDPR, then scanning and indexing the remainder to ensure they can be cost-effectively managed and accessed going forward.
In our view, if trustees can demonstrate they are honestly moving down the path to compliance, regulators are unlikely to come down on them too hard in the early stages of the new regulation. However, GDPR has been in force for nearly a year now and so now is the time to urgently review progress and take action.
Clear roles and responsibilities
Trustees should be clear on their roles and responsibilities relating to the GDPR. While most trustees are aware of the need for good housekeeping in data management, the number of schemes that we see without a fully indexed set of records suggests that the first place to start is with an accurate information audit.
Not only does this ensure that the scheme complies with the requirement to know which personal data is held about individuals, but it also means that the archive is in a state where it can be purged of data that is no longer required and that should no longer be retained.
Having completed an audit and erased non-compliant data, trustees should concentrate on ensuring they have processes in place to stay on top of compliance. Since an electronic document is easier to deal with than a physical one, this should include ongoing scanning, indexing and secure storage.
GDPR as a trigger for digitising documents
At EDM Group, we’ve recently seen an upswing in enquiries where GDPR is a driver for digitising pension member records – particularly from large corporates and local government authorities. One large local authority we work with has recently initiated a project to convert all of its 200,000+ records from microfiche, microfilm and paper into digital images in order to gain complete visibility of its archive.
It is now well on the way to maintaining a well-indexed, searchable archive where each record is filed on a per member basis. Indexes structured in this way make it easier to search for what could otherwise be the proverbial needle in a haystack.
Very simply, EDM provides a solution to help trustees understand the extent of their archive and information under management, whether that’s in-house or managed by a TPA. In either case, archives are digitised and presented in a compliant format that can be built upon moving forward.
Act now to avoid future risks
The time to act on key tasks involved in achieving GDPR compliance is now. We have already seen prosecutions by the ICO in the press. The Pension Regulator itself has been looking very closely in recent times at how funds manage their data, so the need to be compliant with GDPR will build on, and dovetail with, these investigations.
For all of those reasons, trustees need to ensure they are not just understanding what GDPR means, but also following through with an effective action plan that will take clear steps towards compliance. The worst decision any trustee could take at this stage is to defer this critical task or worse, do nothing.