Search site
  • GDPR


The General Data Protection Regulation (GDPR) is a set of European Union (EU) regulations that came into force on 25 May 2018. It has changed how organisations process and handle data, with the key aim of giving greater protection and rights to individuals. As of 25th May 2018 the GDPR has been implemented into UK law through the enactment of the Data Protection Act 2018 (DPA). It is the main source and now the derivative piece of legislation for the principles and articles that GDPR introduced.

What laws currently govern data protection in the UK?

Currently in the UK the Data Protection Act 2018 sets out how your personal information can be used by companies, government and other organisations. The GDPR is now supplementary to the DPA; meaning that the GDPR should be read alongside the DPA, despite the DPA being the main source of authority for data protection law in the UK.

Will the GDPR still apply to the UK after Brexit?

The UK has now implemented the DPA which means GDPR provisions have overall been translated into UK Law irrespective of Brexit. There are some small differences between GDPR and the DPA due to the flexibility granted to member states in how they implement the GDPR provisions. Currently there are no plans by the UK Government to change the DPA or the authority of GDPR because of Brexit, therefore it will remain in force even after fully leaving the EU. 

Further information

This legislation introduced extended rights for individuals in relation to the personal data an organisation holds about them, for example, an extended right to access and a new right of data portability. You can obtain further information about these rights from the Information Commissioner's Office at: or via their telephone helpline (0303 123 1113).

In addition, organisations  have an obligation for better data management and a new regime of fines that have been introduced for use when an organisation is found to be in breach of the DPA.

The GDPR states that personal data must be:

  • processed lawfully, fairly and in a transparent manner

  • collected only for specified, explicit and legitimate purposes

  • adequate, relevant and limited to what is necessary

  • accurate and kept up to date

  • held only for the absolute time necessary and no longer

  • processed in a manner that ensures appropriate security of the personal data.

    All of these principles are enforced in the UK through the DPA.

How does the GDPR affect LGPS members?

Your LGPS fund will have already had procedures in place which complied with similar data protection principles under the now obsolete Data Protection Act 1998. The DPA 2018 has reinforced these existing requirements so, LGPS members are unlikely to notice a change in the service they receive from their LGPS fund.

How do members know that their LGPS fund is compliant?

Every LGPS fund was required to update their privacy notice by 25th May 2018 to be in line with the new requirements setting out, amongst other things, why certain data is held, the reason for processing the data, who they share the data with and the period for which the data will be retained. The West Midlands Pension Fund's privacy notice is available at

You can also view the Fund's data management policies at, which includes our Data Protection Policy.

Why do LGPS funds hold personal data?

LGPS funds require various pieces of personal data provided by both the individual member and their employer in order to administer the pension scheme. This data includes, but is not limited to, names, addresses, National Insurance numbers and salary details which are required to maintain scheme records and calculate member benefits.

Who do LGPS funds share personal data with?

On occasion, LGPS funds are required to share personal data with third parties in order to meet regulatory and government requirements, to gather necessary information for the accurate payment of member benefits and to ensure scheme liabilities are met. Each fund's privacy notice will set out who they share data with; this is likely to include bodies such as scheme employers, fund actuaries, auditors and HMRC.    

Can LGPS members ask for their data to be deleted?

The GDPR provides individuals with the 'right to be forgotten' in certain limited circumstances. However, in practical terms the exercise of this right in relation to LGPS funds is limited due to the statutory nature of their function and as the deletion of data can prevent the fund from carrying out its duties. LGPS funds are required to process personal data to comply with legal obligations under pension legislation, therefore, the 'right to be forgotten' is unlikely to apply to data held by LGPS funds.

What happens if there is a data breach?

Data breaches are a rare occurrence within LGPS funds. However, should a security breach concerning a member's personal data occur that is likely to result in a risk to that member's rights and freedoms, there is a direct obligation under the DPA for the Fund to inform the Information Commissioners Office within 72 hours of the breach taking place. 

Powered by GOSS iCM