Q&A – GDPR Compliance

May 24, 2018

GDPR has finally arrived. Are ITM ready?

We have been working hard over the last two years to ensure our already strong approach to data security aligns with the new General Data Protection Regulation (GDPR).  Although we are pleased that we are now fully GDPR compliant, the road doesn’t end there.  We will regularly being review our processes, procedures and security measures to ensure that we continually improve and develop.

What has ITM done to prepare for GDPR?

To prepare for the GDPR, ITM established a working party with representatives from all our business units. The aim of the working party has been to ensure we fully understand the implications of GDPR for both ourselves and our customers. Given the nature of ITM’s business the security of client’s data is a priority.


The working party have travelled a long and winding road completing tasks such as data mapping, updating and issuing appropriate communications, considering how to deal with data subjects’ rights, updating data breach procedures, determining lawful bases for processing data and updating contracts.  We have had to think about both client data and our own internal data such as HR data in respect of employees.

What did the data mapping exercise involve?

As a data business we hold large amounts of data. Mapping the data we hold and documenting it has therefore been an important job and essential to give us a full understanding of the data that we process.  We have reviewed all the data we hold, considering exactly what data we require, how long we need to keep each data item, who we share it with and, where we are the data controller, the lawful basis for holding the data.  We have recorded all this information in our Record of Processing Activities and associated data retention schedules.


Part of this exercise has included carrying out due diligence on all our suppliers to ensure we are satisfied that they are holding our data securely. We have also completed questionnaires from our customers providing assurance that we are holding their data securely and in line with the requirements under GDPR.

What have been the legal implications?

GDPR requires specific clauses to be included in data processing agreements. A big part of the project has therefore been updating contracts with both our clients and suppliers to ensure these meet the new requirements under GDPR.

What security measures are in place to keep data safe?

ITM have an established information security management framework which is audited and complemented by the achievement of ISO27001 and Cyber Essentials Plus.   Several technical and physical controls have been implemented and are maintained to ensure the ongoing confidentiality, integrity and availability of all data stored and processed and resilience of processing systems and services.


ITM are satisfied that our technical and organisational security measures meet the relevant requirements of the GDPR.

Have you appointed a Data Protection Officer?

Yes.  ITM’s business is all about data and we consider it essential that we have a Data Protection Officer. Should you have any questions on ITM’s approach to data protection or specific queries on the security of your data please contact either our Data Protection Officer (by email at DPO@itm.co.uk) or your usual contact.

Do you know any GDPR jokes?

  • Do you know a good GDPR consultant?
  • Yes
  • Can you give me his contact details?
  • No


Press Release: ITM signs agreement to acquire Profund Press Release: ITM signs agreement to acquire Profund Apr 16, 2021 Exciting News! ITM signs agreement to acquire Profund Independent Transition Management Limited (ITM), the leading provider of data management and technology services to the pensions and financial
Tackling increasing pension fraud Tackling increasing pension fraud Mar 8, 2021 It always feels very strange and cold to talk about mortality, as though the people and their lives boil down to a stat. An even stranger term is ‘excess’ deaths – as though there is an
GMP equalisation: we don GMP equalisation: we don't need crystal clarity to get started Feb 9, 2021 GMP equalisation: we don't need crystal clarity to get started The industry has been waiting too long for the glass to become crystal clear on GMP equalisation – but is there an element of
Thank you! Your subscription has been confirmed. You'll hear from us soon.