Preparing for the General Data Protection Regulation (GDPR)

27 April 2018
The new GDPR rules come into effect on 25 May 2018 and aim to strengthen data protection for customers, giving them more control over their personal information.

What is GDPR?

In a nutshell, GDPR will change how businesses handle their customers’ personal information. It will also give customers more say over how their data’s used and stored.

What you need to do

Here are some of the things you need to consider as part of your GDPR requirements:

  • Check the data you hold – where did it come from? Who are you sharing it with?
  • Keep records of your data processing activities – if you’ve shared inaccurate data with anyone, let them know so they can update their records.
  • Tell employees how their personal data is processed – do you have a privacy notice explaining this?
  • Review and update your company material and processes - are your policies and privacy notices up to date and compliant?
  • Change the way you deal with data requests - how will you respond to employees requesting a copy of the information you hold on them? You need to respond to within one month.
  • Be prepared to deal with data protection breaches – put clear policies and procedures in place so you can react quickly. You have 72 hours to notify the regulator.
  • Check you have retention periods (how long you can keep personal information for) – you need to delete data you no longer need.
  • Check you’ve got a legitimate reason for processing personal information – you must meet at least one of the GDPR’s six ‘legal bases’ before you can legally process customer data.

How we're protecting your workforce

We’ve pulled together experts from across the Royal London Group and created a Data Governance project team to tackle the GDPR changes. 

What we're telling members

We’ve updated our privacy notice to explain:

  • what we do with their personal information
  • who we share it with
  • where we get it from
  • the legal basis for using it
  • their rights and how they can take action, and
  • how long their personal information might be kept for.

Customers can read our privacy notice by visiting royallondon.com/privacynotice.

What we're telling trustees

We believe, as joint data controllers, Royal London and trustees are both responsible for processing personal information - we provide professional advice on how best to administer your scheme and you’re responsible for agreeing how we use your members' data.

To confirm our roles and responsibilities, we’ll send trustees a copy of our Data Sharing Agreement explaining how personal information is shared between Royal London and the trustee. It will also include information on who deals with access requests, data breaches etc. Trustees will be asked to complete, sign and return the agreement to us.

We’ve explained more about roles and responsibilities below.

For more information about what GDPR means for trustees, please go to ico.org.uk.

Roles and responsibilities

GDPR applies to ‘data controllers’ and ‘data processors’. The diagram below explains the difference between ‘data controllers’ and ‘data processors’ and our responsibilities under both roles:

Data controller

The data controller determines the means and purpose of processing personal information. They can use a data processor to provide expertise, but the data controller has the final say in what happens with this personal information.

Data processor

The data processor is responsible for using personal information in line with instructions from the data controller.

Royal London HallmarkA Royal London example

When Royal London receives your auto enrolment workforce assessment data they become the data processor.

Once your employees are scheme members, Royal London then becomes the data controller.

We’re responsible for deciding why and how personal information is used. This makes us the data controller.

You're the data controller for the information you share with us. You're also the data controller for the information we share with you to help run your workplace pensions - for example when we tell you about:

  • employees who might need advice
  • joiners, leavers and changes to members’ personal details.

Once you’ve given us information about the employees you need to automatically enrol into your workplace pension, we’re the data processor. Then, once the employee becomes a member and we have a direct relationship with them, we’ll become the data controller again.

How can I get more information?

For more information about GDPR and a full list of your responsibilities, please go to ico.org.uk.

Last updated: 04 Jun 2018
Latest articles

The Royal London Mutual Insurance Society Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Registered in England and Wales number 99064. Registered office: 55 Gracechurch Street, London EC3V 0RL.