The General Data Protection Regulation (GDPR)

15 June 2018
The new GDPR rules came into effect on 25 May 2018 and aim to strengthen data protection for customers, giving them more control over their personal information.

What is GDPR?

In a nutshell, GDPR will change how businesses handle their customers’ personal information. It will also give customers more say over how their data’s used and stored.

What you need to do

Here are some of the things you need to consider as part of your GDPR requirements:

  • Check the data you hold – where did it come from? Who are you sharing it with?
  • Keep records of your data processing activities – if you’ve shared inaccurate data with anyone, let them know so they can update their records.
  • Tell employees how their personal data is processed – do you have a privacy notice explaining this?
  • Review and update your company material and processes - are your policies and privacy notices up to date and compliant?
  • Change the way you deal with data requests - how will you respond to employees requesting a copy of the information you hold on them? You need to respond to within one month.
  • Be prepared to deal with data protection breaches – put clear policies and procedures in place so you can react quickly. You have 72 hours to notify the regulator.
  • Check you have retention periods (how long you can keep personal information for) – you need to delete data you no longer need.
  • Check you’ve got a legitimate reason for processing personal information – you must meet at least one of the GDPR’s six ‘legal bases’ before you can legally process customer data.

How we're protecting your workforce

We’ve pulled together experts from across the Royal London Group and created a Data Governance project team to tackle the GDPR changes. 

What we're telling members

We’ve updated our privacy notice to explain:

  • what we do with their personal information
  • who we share it with
  • where we get it from
  • the legal basis for using it
  • their rights and how they can take action, and
  • how long their personal information might be kept for.

Customers can read our privacy notice by visiting

Trustees and employers with non-auto enrolment schemes

We take our data protection responsibilities very seriously. We always handle personal information with great care and only use it when we have a clearly identified legal basis.

When dealing with trustees and non-auto enrolment schemes, Royal London is the independent data controller. The agreement we have, allows us to decide what data we need to administer schemes and how we use the personal information we collect. 

A data processing or any other legal agreement between us isn’t needed. This is because we’re not processing information under your instruction (as a data processor) or agreeing what data is collected and how it’s used together (as joint data controllers). 

Our privacy notice explains more about how we collect, store and use your employees’ personal information.

Roles and responsibilities

GDPR applies to ‘data controllers’ and ‘data processors’. Below explains the difference between ‘data controllers’ and ‘data processors’ and our responsibilities under both roles:

  • Data controller
    The data controller determines the means and purpose of processing personal information. They can use a data processor to provide expertise, but the data controller has the final say in what happens with this personal information.
  • Data processor
    The data processor is responsible for using personal information in line with instructions from the data controller.

A Royal London example

When Royal London receives your auto enrolment workforce assessment data they become the data processor.

Once your employees are scheme members, Royal London then becomes the data controller.

We’re responsible for deciding why and how personal information is used. This makes us the data controller.

You're the data controller for the information you share with us. You're also the data controller for the information we share with you to help run your workplace pensions - for example when we tell you about:

  • employees who might need advice
  • joiners, leavers and changes to members’ personal details.

Once you’ve given us information about the employees you need to automatically enrol into your workplace pension, we’re the data processor. Then, once the employee becomes a member and we have a direct relationship with them, we’ll become the data controller again.

How can I get more information?

For more information about GDPR and a full list of your responsibilities, please go to