On 25 May 2018, the new General Data Protection Regulation (GDPR) came into force. It aims to strengthen data protection for customers, giving them more control over their personal information. We take our data protection responsibilities extremely seriously and treat your and your employees’ data with the upmost care, diligence and security. We only use this information where we have a clearly identified legal basis for doing so. We explain this in more detail in our Privacy Notices.
Rest assured that we don't use the data that you provide to us for any type of marketing or cross-selling activities.
We recently emailed you about the changes we’ve made to our terms and conditions for auto enrolment in light of GDPR. You can access the new terms and conditions documents here.
What do I need to do?
There are some specific actions you should have taken in respect of your Royal London workplace pension.
- You should have provided your employees with a privacy notice that explains what personal information is collected, how it's used and who it's shared with (including Royal London and financial advisers).
- If you’ve given your employees' information to an adviser who plans to contact them directly, you should make sure your employees know this and give them the option to opt out of any direct marketing or contact from the adviser.
Your GDPR checklist
Like all businesses, you'll have spent a lot of time making sure you understand the change and what it means for your business, your employees and your customers.
Now the dust has settled around the new General Data Protection Regulation (GDPR), it’s a good opportunity to take stock and review the actions you’ve taken. Here’s a handy checklist of things you should’ve considered. This checklist will help you make sure you’re compliant with GDPR.
- Check the personal information you hold on both your customers and employees – You must check where the information on them has come from and question if you need all of it.
- Check you've got a genuine reason for processing personal information - You must meet at least one of the GDPR's six 'legal bases' before you can legally process personal information.
- Check you have retention periods for all personal information - You need to be clear how long you'll hold information for and delete anything you no longer need.
- Record your data processing activities - If you've shared inaccurate data with anyone, let them know so they can update their records.
- Identify who you share information with and what it's used for -You might want to consider what data you share with a financial adviser.
- Make your customers and employees aware – You should explain to your customers and your employees how you, or others on your behalf, process their personal data. You should review your privacy notice to make sure it includes this.
- Review and update your business material and processes – You should check your policies and privacy notices are up to date and compliant.
- Change the way you deal with data requests – You should look at how you'll respond to requests from customers or employees who ask to see a copy of the information you hold about them. You now need to respond within one month.
- Be prepared to deal with data protection breaches – You should make sure you have clear policies and procedures in place so you can react quickly to any data breaches. You have 72 hours to notify the regulator.
- Review your marketing procedures – If you issue direct marketing, make sure you have a clear process for opting out customers that don’t want to receive this.
To help businesses comply with the regulation, the Information Commissioners Office (ICO) has created a Guide to the GDPR which covers the key points that employers need to know.
Want more information?
You can find a full list of your responsibilities and more information on GDPR by visiting the Information Commissioner's Office website.