Ms Susan Black from Hymans Robertson gave a presentation on GDPR. Ms Black informed the Board that the GDPR regulations were introduced in 2018, however the Scheme Advisory Board had released updates in September 2021 and as such the LGPS Funds had been advised to use the updated templates they had provided.

Ms Black said the purpose of the GDPR regulation was to enhance individuals’ control and rights over their personal data, to simply the regulatory environment for international business and address the transfer of personal data outside the EU and EEA areas. She said the UK version of GDPR regulations closely followed the principles set by the EU and said there were penalties if companies did not follow the guidance. She said the Information Commissioners Officer (ICO) had a range of actions it could take if there was non-compliance. Ms Black said aside from the financial penalties and organisation risked reputational damage.

In terms of the Fund, Ms Black said the risk register already captured the failure to comply with the GDPR regulation as a potential risk and said a risk assessment had already been done, with a range of internal controls in place. She said the policies had been shared with employers however the other risk was cyber risk. Ms Black said that steps had been taken to address this, with officer training, risk workshops and regular Board updates being provided. She said the purpose of this was to ensure everyone was up to date with the latest information on GDPR compliance.

In response to comments and questions from the Board members the following was noted:

• Ms Black clarified organisations were obligated to report on GDPR breeches. She said if there was any under reporting the regulator would step in. She said where there had been large data breeches such as a cyber-attack the IOC would investigate this separately.
• In response to if the IOC were reactive in investigating breeches or if they are proactive, Ms Black said this was hard to say. They had been proactive. Ms Adams added the Pension scheme had to adhere to the Pensions Regulators code of practise and cyber risk was an important topic.
• Ms Adams clarified the Information and Governance Team within the Council had overall responsibility for GDPR. She said templates had been passed onto the team, who were happy with the documents. They had recommended the Council’s website should be updated to include the additional information.
• Ms Adams clarified the mandatory training was for all staff to complete. She said it was a refresh for staff, with further training workshops also being offered.
• In response to how compliance with data protection can affect the compliance with GDPR, Ms Adams stated considerable progress had been made over the past few years. She said they now had an employers’ forum and the I-connect system, whereby employers were required to upload information. She said there were still six employers who are not compliant however they were working with them to resolve this.

• ACTION: The Chair, Mr Jones requested the presentation slides be circulated to members of the Board.

The Chair thanked Ms Black and Mr McKerns, from Hymans Robertson for attending the Board meeting.