The Data Protection Act 2018, which came into force on 25 May 2018, sets out the framework for data protection law in the UK. It sits alongside and supplements the UK GDPR (which came into effect on 1 January 2021). The UK GDPR sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies. It is based on the EU GDPR (which applied in the UK before that date).
A data controller decides the purposes for and the means by which personal data is processed and are responsible for ensuring that it is processed in a manner which complies with the relevant requirements of the UK GDPR. In the context of a pension scheme, the trustees will be data controllers.
A data processor is someone (other than an employee of the data controller) who processes personal data on behalf of the data controller. In the pensions context, scheme administrators (and possibly payroll providers) will be data processors.
Under the UK GDPR, “personal data” means any information relating to a “natural person” (namely, the individual on whom data is held) which enables that individual, whether directly or indirectly, to be identified. Personal data therefore includes someone’s name, NI number or other factors which are specific to their identity, including physical, cultural or social factors.