Your GDPR checklist

31 May 2018
Now the dust has settled around the new General Data Protection Regulation (GDPR), it’s a good opportunity to take stock and review the actions you’ve taken. Here’s a handy checklist of things you should’ve considered.

Are you fully compliant with GDPR?

On 25 May 2018, the new General Data Protection Regulation (GDPR) came into force. Like all businesses, you'll have spent a lot of time making sure you understood the changes and what it meant for your business, your employees and your customers.

Your GDPR checklist

This checklist will help you make sure you’re compliant with GDPR.

  • Check the personal information you hold on both your customers and employees - Where did it come from? Do you need all of it?
  • Check you've got a genuine reason for processing personal information - You must meet at least one of the GDPR's six 'legal bases' before you can legally process personal information.
  • Check you have retention periods for all personal information - You need to be clear how long you'll hold information for and delete anything you no longer need.
  • Record your data processing activities - If you've shared inaccurate data with anyone, let them know so they can update their records.
  • Identify who you share information with - For example, Royal London, so we can assess your workers for auto enrolment and administer your employees’ pension plans. Do you share any information with a financial adviser?
  • Explain to your customers and your employees how you, or others on your behalf, process their personal data - Do you have a privacy notice to explain this?
  • Review and update your business material and processes - Are your policies and privacy notices up to date and compliant?
  • Change the way you deal with data requests - How will you respond to requests from customers or employees to see a copy of the information you hold about them? You now need to respond within one month.
  • Be prepared to deal with data protection breaches - Put clear policies and procedures in place so you can react quickly. You have 72 hours to notify the regulator.
  • Review your marketing procedures – If you issue direct marketing, have you put in place a clear process for opting out customers that don’t want to receive this?

To help businesses comply with the regulation, the Information Commissioners Office (ICO) has created a Guide to the GDPR which covers the key points that employers need to know.

GDPR and your Royal London workplace pension

We take our data protection responsibilities extremely seriously and treat your and your employees’ data with the upmost care, diligence and security. We only use this information where we have a clearly identified legal basis for doing so. We explain this in more detail in our Privacy Notices, which are available on our website.

We recently emailed you about the changes we’ve made to our terms and conditions for auto enrolment in light of GDPR. You can access the new terms and conditions documents here.

There are some specific actions you should have taken in respect of your Royal London workplace pension.

  • Provide your employees with a privacy notice that explains what personal information is collected, how it's used and who it's shared with (including Royal London and financial advisers).
  • If you’ve provided your employees' information to an adviser who plans to contact them directly, you should make sure your employees know this and give them the option to opt out of any direct marketing or contact from the adviser.

Want more information?

You can find a full list of your responsibilities and more information on GDPR by visiting

The Royal London Mutual Insurance Society Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Registered in England and Wales number 99064. Registered office: 55 Gracechurch Street, London EC3V 0RL.