Client feedback

Highly informative. Having leading professionals deliver the TKU course really adds value.
Jonathan Williams ,
Bangor University
​They are very proactive and full of new ideas, they've brought better scheduling and better minute sets.
Paul Rudd,
Express Newspapers
Excellent communication - the trustee training course facilitators were clearly knowledgeable and very experienced in their field and able to convey concept and information in a way I was able to understand.
Phillipa McFadyen,
We now have a very collaborative approach between trustees and employer.
Peter Millard,
Company Secretary, TRL Limited
Thanks for all your help!
Excellent and comprehensive training course. I will definitely refer to what I've learned and received.
Kyp Kyprianou,
Bam Construction UK Ltd

GDPR: the nightmare revisited!

I’m sorry to bring back the agonies of this time last year, but as pension trustee secretary I’ve started the first review of my clients’ GDPR policies. These are due to be completed within the next few weeks and, so far, I’ve found a couple of changes that I have recommended to my clients.

Over the top actions aren’t needed

The first change is to tweak the wording around breaches so we could avoid a full-blown crisis meeting when in fact the breach was very minor and it was a no-brainer that no report to the Information Commissioner’s Office (ICO) was needed.

Fortunately, I haven’t experienced any major breaches during the year (touch wood that continues) but I have found administrators are rightly reporting every minor breach. When a breach is obviously minor and only involves one or two individuals, it is clearly disproportionate to lodge a report or indeed to involve the full pension trustee board in reaching this decision. One of my clients agreed to amend their policy so, in such cases:

  • only the Trustee Chair and a member nominated trustee (MNT) needs be notified to reach a decision
  • the breach is also reported to the governance committee and recorded on the data breach log

Talking of no-brainers…

The second change relates to the ICO’s recommendation for data controllers to complete a three part test when they rely on legitimate interests as their grounds for data processing (see: This isn’t a GDPR requirement and so isn’t essential, but it is seen as best practice. Frankly, when dealing with pension schemes, the responses to the ICO’s list of questions show it is a no-brainer that processing data is in the members’ best interests.

I drew up a note to record the trustee’s responses to the test and its conclusion. A simple way to deal with something you could find pension administrators or lawyers over-complicate.

Although GDPR may still feel like a fresh wound, this is a good time to check everything remains fit for purpose.



Back to opinions


Hot Topic
Master trusts: the future directions for these popular schemes

26 May 2020

In a nutshell, the future of defined contribution (DC) pension master trusts is they will be bigger and better, but there’s a risk they’ll become...

Dealing with distress: help for pension scheme sponsors & trustees

20 May 2020

With many new challenges to face thanks to the Covid-19 pandemic, it’s easy to think an employer’s defined benefit (DB) pension scheme would fall...

A generational divide in communications?

14 May 2020

Top tips for pensions communications often suggest using a mix of media and varying design layouts as different people respond to different things...

More opinions »

Call: 0845 313 0024

online enquiry