In a nutshell, GDPR will change how businesses handle their customers’ personal information. It will also give customers more say over how their data’s used and stored.
Here are some of the things you need to consider as part of your GDPR requirements:
We’ve pulled together experts from across the Royal London Group and created a Data Governance project team to tackle the GDPR changes.
We’ve updated our privacy notice to explain:
Customers can read our privacy notice by visiting royallondon.com/privacynotice.
We believe, as joint data controllers, Royal London and trustees are both responsible for processing personal information - we provide professional advice on how best to administer your scheme and you’re responsible for agreeing how we use your members' data.
To confirm our roles and responsibilities, we’ll send trustees a copy of our Data Sharing Agreement explaining how personal information is shared between Royal London and the trustee. It will also include information on who deals with access requests, data breaches etc. Trustees will be asked to complete, sign and return the agreement to us.
We’ve explained more about roles and responsibilities below.
For more information about what GDPR means for trustees, please go to ico.org.uk.
GDPR applies to ‘data controllers’ and ‘data processors’. The diagram below explains the difference between ‘data controllers’ and ‘data processors’ and our responsibilities under both roles:
The data controller determines the means and purpose of processing personal information. They can use a data processor to provide expertise, but the data controller has the final say in what happens with this personal information.
The data processor is responsible for using personal information in line with instructions from the data controller.
When Royal London receives your auto enrolment workforce assessment data they become the data processor.
Once your employees are scheme members, Royal London then becomes the data controller.
We’re responsible for deciding why and how personal information is used. This makes us the data controller.
You're the data controller for the information you share with us. You're also the data controller for the information we share with you to help run your workplace pensions - for example when we tell you about:
For more information about GDPR and a full list of your responsibilities, please go to ico.org.uk.