Q&A – GDPR Compliance

May 24, 2018

GDPR has finally arrived. Are ITM ready?

We have been working hard over the last two years to ensure our already strong approach to data security aligns with the new General Data Protection Regulation (GDPR).  Although we are pleased that we are now fully GDPR compliant, the road doesn’t end there.  We will regularly being review our processes, procedures and security measures to ensure that we continually improve and develop.

What has ITM done to prepare for GDPR?

To prepare for the GDPR, ITM established a working party with representatives from all our business units. The aim of the working party has been to ensure we fully understand the implications of GDPR for both ourselves and our customers. Given the nature of ITM’s business the security of client’s data is a priority.


The working party have travelled a long and winding road completing tasks such as data mapping, updating and issuing appropriate communications, considering how to deal with data subjects’ rights, updating data breach procedures, determining lawful bases for processing data and updating contracts.  We have had to think about both client data and our own internal data such as HR data in respect of employees.

What did the data mapping exercise involve?

As a data business we hold large amounts of data. Mapping the data we hold and documenting it has therefore been an important job and essential to give us a full understanding of the data that we process.  We have reviewed all the data we hold, considering exactly what data we require, how long we need to keep each data item, who we share it with and, where we are the data controller, the lawful basis for holding the data.  We have recorded all this information in our Record of Processing Activities and associated data retention schedules.


Part of this exercise has included carrying out due diligence on all our suppliers to ensure we are satisfied that they are holding our data securely. We have also completed questionnaires from our customers providing assurance that we are holding their data securely and in line with the requirements under GDPR.

What have been the legal implications?

GDPR requires specific clauses to be included in data processing agreements. A big part of the project has therefore been updating contracts with both our clients and suppliers to ensure these meet the new requirements under GDPR.

What security measures are in place to keep data safe?

ITM have an established information security management framework which is audited and complemented by the achievement of ISO27001 and Cyber Essentials Plus.   Several technical and physical controls have been implemented and are maintained to ensure the ongoing confidentiality, integrity and availability of all data stored and processed and resilience of processing systems and services.


ITM are satisfied that our technical and organisational security measures meet the relevant requirements of the GDPR.

Have you appointed a Data Protection Officer?

Yes.  ITM’s business is all about data and we consider it essential that we have a Data Protection Officer. Should you have any questions on ITM’s approach to data protection or specific queries on the security of your data please contact either our Data Protection Officer (by email at DPO@itm.co.uk) or your usual contact.

Do you know any GDPR jokes?

  • Do you know a good GDPR consultant?
  • Yes
  • Can you give me his contact details?
  • No


Pensions dashboards Pensions dashboards Aug 27, 2020 Defining data for dashboards... Sharing basic data with a centralised dashboard to give individuals a much clearer picture of what they’ll get in retirement. That sounds simple enough. The problem
Child Trust Funds Child Trust Funds Jul 16, 2020 Automatic enrolment from 18 and the green recovery…do child trust funds fit in this puzzle? In 2017 the AE review suggested, amongst other things, that automatic enrolment starts at 18. We’re
DB Consolidators DB Consolidators Jun 11, 2020 Data quality is key to DB consolidation access The UK’s top independent pensions data consultancy, ITM, has warned that trustees will have limited options when it comes to evaluating alternative
Thank you! Your subscription has been confirmed. You'll hear from us soon.