Help and support

Search our knowledge base for answers

What is GDPR?

The General Data Protection Regulation, or GDPR, is the new data protection legislation replacing the Data Protection Act 1998.

It’s a European Union regulation which aims to give people more control over how their personal data is collected, used, stored and shared. It’s designed to strengthen and unify the data security measures of businesses in the European Union.

B&CE, provider of The People’s Pension, already makes sure that data protection is central to our business. Under GDPR, we’re more transparent about how we collect, use, share and store our customers’ (and employees’) data.

GDPR came into force (after a two-year transition period) on 25 May 2018.

If you’re a business and you need help preparing for GDPR, see The Information Commissioner’s website »

Or if you’re a member, there’s some handy information from the European Union »

What does GDPR cover?

GDPR gives our customers more freedom to control the data we hold about them. They have a right to:

  •  Be informed
  •  Be forgotten
  •  Object to data being held or processed
  •  Correct the information held about them
  •  Portability of their data

But, what does this really mean?

Be informed.

It’s all about transparency. We’ll tell you who in the organisation is the data controller and give you their contact details. This is the person responsible for ensuring data is used and stored correctly.

Our customers have a right to be told about what data we hold on them, how their data is used, why it’s used and who it’s shared with.

Be forgotten.

Our customers have the right to ask for their data to be deleted. But, we may not always be able to do this when we’re required by law to keep information for a certain period of time.

Object.

Our customers can object to their data being used for certain purposes or processed in a certain way. This could be, for example, objecting to direct marketing. It’s not always possible for us to follow an individual’s request though – especially where we have a legal obligation.

Correct.

If we hold inaccurate information about a customer, they have a right to request it’s updated.

Portability.

Our customers have the right to ask for their data in a portable format so that it could be transferred to another organisation.

If you’re a business and you need help preparing for GDPR, see The Information Commissioner’s website »

Or if you’re a member, there’s some handy information from the European Union »

What’s a data controller and data processor?

A data processor is anyone (other than an employee of the data controller) that processes personal data on behalf of the data controller.

A data controller controls how and why personal data is processed. B&CE, provider of The People’s Pension, is a data controller in its own right. As joint data controllers, both B&CE and the employer have full responsibility for the compliance and accountability of the data collected and used.

For more information on definitions, see The Information Commissioner’s website »

As a customer of B&CE, provider of The People’s Pension, does my business need to do anything about the employee data we provide?

Once you’ve provided us with your employee data, B&CE also becomes responsible for ensuring this data is compliant with GDPR. We become joint ‘data controllers’ (see What’s a data controller and data processor? for more info).

You’ll still remain responsible for your employee data in terms of their employment with you. B&CE, along with the Trustees of The People’s Pension, will become responsible for how that data is protected in relation to your pension scheme.

Lots of businesses, especially the smaller ones, are struggling with what GDPR means for them.

There is a common misunderstanding that B&CE is a ‘data processor’ for employers using The People’s Pension. But actually, B&CE is a data controller in its own right. As joint data controllers, both B&CE and the employer have full responsibility for the compliance and accountability of the data collected and used. This means that you don’t need to set up a controller/processor agreement with us in relation to the employee data you provide us.

To help us, please make sure that the employee data you provide is accurate and up-to-date.

How do B&CE, provider of The People’s Pension, look after our data?

We recently updated our Privacy notice and will be sending this to all our customers. Both you and your employees will receive a copy. It explains all you need to know about how we capture, process, store and dispose of data. You can also take a look at this on our website »

B&CE has robust cyber security measures in place, which we regularly review to keep up-to-date with current cyber security threats. Our systems and procedures follow UK, EU and globally accepted standards. The information we collect from our customers is stored on secure servers based both in the UK and the EU. If you’d like more information on this, take a look at pages 39 and 40 of our AAF Assurance Report »

If you’re a business and you need help preparing for GDPR, see The Information Commissioner’s website »

Or if you’re a member, there’s some handy information from the European Union »

As all businesses need to use data in different ways, you should seek your own independent advice.