What the UK's data protection reforms mean for pension trustees

While a far cry from the sweeping GDPR compliance uplift of 2018, trustees are nonetheless faced with a new series of data protection and e-privacy reforms under the Data (Use and Access) Act 2025 (DUAA) – most of which came into effect on 5 February 2025. The DUAA was a long time in the making and despite receiving Royal Assent on 19 June 2025, the various changes are being phased in over time via secondary legislation. Trustees may well be forgiven, therefore, for needing a reminder as to how the existing law has changed, what is new and what has (at least in terms of compliance) stayed the same. This briefing covers those points and sets out the actions trustees should take to ensure they remain data protection compliant.

Now Reading

What has changed

Automated decision-making (ADM)

There has been a relaxation of ADM rules with a view to encouraging the adoption of AI tools.

What counts as ADM?

ADM involves the making of significant decisions about individuals based solely on automated processes, without meaningful human involvement, often using algorithms or artificial intelligence tools. It can include profiling, i.e. automated processing of personal data to evaluate an individual's behaviour, preferences, or status. ADM rules only apply where the processing results in "significant decisions" - those with legal or similarly substantial effects, such as decisions that affect someone's employment opportunities, financial position, access to essential services, health, reputation, behaviour or choices. Examples in the pensions context include using automated or AI tools to enhance member engagement and communication strategies, detect anomalies in member accounts to prevent potential scams, personalising retirement planning including targeted support and allowing customisation of investment strategies.

Previously, trustees could only make automated decisions if one of three narrow conditions was met, being that:

the individual had given explicit consent
the processing was necessary to perform a contract
the decision was specifically authorised by UK law, such as for the purposes of detecting fraud or tax evasion - subject to strict safeguards.

A further layer of protection applied when processing special category data, such as health data. In addition to meeting one of the above exceptions, organisations either needed the individual’s explicit consent, or the processing needed to satisfy specific substantial public interest conditions.

Greater flexibility for ADM – with guardrails

Except for where special category data is involved, the prohibition on ADM has been lifted. For non-sensitive data, this enables organisations to rely on other lawful bases, such as legitimate interests, to carry out ADM. Where ADM involves special category data, the stricter limitations survive. There are still mandatory safeguards for all ADM. Trustees must:

inform individuals that an automated decision-making process is being used
provide individuals with an opportunity to make representations
offer a route to meaningful human intervention; and
allow individuals to contest the automated decision.

What is new

Data protection complaints procedure

This is the most significant new requirement for trustees. They will need to ensure that their processes for handling data protection complaints meet new rules under the DUAA ahead of a 19 June 2026 deadline. The new rules are designed to facilitate complaints being made directly to the data controller and include mandatory information requirements and timeframes. Trustees must:

put in place an accessible way to receive complaints from data subjects
acknowledge complaints within 30 days of receipt
without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries and providing timely updates; and
without undue delay, inform data subjects of the outcome of their complaint (including their right to escalate to the Information Commissioner's Office (ICO).

The newly introduced section 164A of the Data Protection Act 2018 provides that "a controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means". Helpfully, the ICO guidance is not prescriptive as to the way in which complaints must be made and certainly does not require setting up an electronic complaint form. It says:

"How you do this is up to you, but you could take one of the following actions:

provide a complaint form that people can submit to you either electronically or in writing (eg by email or post);
provide an email address for people to submit complaints to;
allow people to make complaints over the phone;
provide an online complaints portal;
have a live chat function with the option to escalate to a human if needed; or
give people a way to make complaints to you in person (eg if you don’t have an online presence).

You’re not required to set up a separate tool for receiving complaints, as long as you can still meet your obligations. You may already have an existing complaint tool that isn’t data protection specific but you can adapt it to include data protection complaints".

Trustees should, therefore, consider whether to have a separate data complaints procedure or whether to amend their existing Internal Dispute Resolution Procedure (IDRP) to cover such complaints. Having a written procedure makes it easy for both members and those dealing with complaints to know what they need to do. Although trustees can invite members to use their set process, there is no obligation for them to do so. Members can complain in any way they choose, including through other channels. For example, they may complain over the phone to the scheme administrator or use a chat or email function on a scheme member website.

Whilst the ICO suggests you could publish your complaints procedure online, there is no legal requirement to do so.

"Without undue delay" is clarified in the ICO guidance as meaning "without an unjustifiable or excessive delay". Schemes should start investigating complaints once received and not wait until after the 30-day acknowledgement period. If the complaint can be investigated and an outcome provided within 30 days, trustees can combine the two communications into one.

What is an unjustifiable or excessive delay will, according to the ICO, depend on the circumstances, and may vary from one complaint to another and from one trustee board to another. However, trustees should be aware that they may be required to reach an outcome sooner than the period provided for in their scheme's IDRP, which will usually require disputes to be determined within four months of receiving a complaint. The important thing is to consider all the circumstances of the complaint and not to apply a set period of time as a blanket approach. The time it takes to investigate will depend on matters including but not limited to:

the complexity of the issue
the scale of the issue (e.g. whether it’s a singular complaint about a recent issue, or a complaint about a number of issues over a longer time period); and
any harm that the member is suffering as a result of the unresolved issue.

What constitutes a data protection complaint?

What counts as a "complaint" is very broad. The ICO guidance makes clear that any allegation by a data subject that a trustee has infringed data protection legislation because of the way their personal data has been handled will constitute a complaint. Just as there are not formalities for raising a data subject access request (DSAR), where is no requirement for specific legal terminology to be used and the complaint can be made through various media, including in writing and in conversation. Various examples of complaints are provided in the ICO guidance, including a data subject alleging non-compliance relating to DSAR responses, security measures, how their personal data has been collected or used or how long it has been kept for.

The ICO guidance draws a distinction between complaints relating to infringement of data protection laws and complaints about other matters relating to scheme governance and administration that also involve the exercise of data protection rights. For example, in a pensions context, the following are unlikely to be considered complaints – a data subject acknowledging a DSAR was responded to on time but expressing dissatisfaction that the process was not expedited; a member raising an IDRP complaint and simultaneously raising a DSAR; or a complaint concerning a delay in processing a CETV which includes a request to delete information.

Increased ICO enforcement powers

The ICO is to be abolished and replaced by a new Information Commission (this change, including the new name – for the purpose of updating privacy policies and templates - is yet to come into effect at the time of writing). Unless trustees find themselves subject to enforcement action, perhaps in the face of a cyber-attack or data breach, they should be relatively unaffected by the change in the ICO's functions and powers. The Information Commission is being given increased information gathering and investigatory powers, akin to the powers already available to the Pensions Regulator. In particular, they will now be able to compel individuals to attend interviews, produce specific documents and request trustees or their service providers to prepare technical reports, the cost of which must be borne by the scheme.

What has stayed the same

Data subject access requests (DSARs)

Trustees (and those administering the DSAR process on their behalf) who were following existing guidance from the ICO will not need to make changes to compliance practices in relation to DSARs. This is because the DUAA has simply put on a statutory footing two areas that have already previously been clarified in ICO guidance: that searches in response to DSARs are limited to "reasonable and proportionate" searches and allowing for the clock to be stopped in relation to the one-month deadline to respond where further information is required to enable trustees to identify the personal information or the processing activity that the DSAR relates to.

Trustees will still be able to extend the time to respond by a further two months where a request is complex and there is revised ICO guidance explaining the circumstances in which DSARs can legitimately be refused as manifestly unfounded or excessive.

Grounds for processing member data

The DUAA introduced a list of examples of certain types of processing which "may" count as being necessary for legitimate interests pursued by data controllers. These include where processing is necessary for direct marketing purposes, sharing data intra-group for internal administrative purposes, and ensuring security of network and information systems. These examples were already in the recitals to the UK GDPR, meaning that trustees and third-party administrators are likely already using the legitimate interests basis for these types of processing. Trustees will still need to carry out a balancing test if they wish to rely on legitimate interests for these types of processing.

The DUAA introduced a new lawful "recognised legitimate interest" basis for processing personal data which does not require data controllers to conduct a balancing test between the impact on the data subject and the benefit for the data controller. Trustees may be considering whether this will allow them to provide timely and proactive interventions in relation to safeguarding vulnerable members. The ICO's guidance on recognised legitimate interest published on 23 March 2026, however, confirms that trustees will not be able to rely on this lawful basis as they will not be conducting "safeguarding" which is defined as either:

protecting a "vulnerable individual" from neglect or physical, mental or emotional harm; or
protecting the physical, mental or emotional well-being of a "vulnerable individual".

Trustees who wish to protect such members from financial harm will still, therefore, need to obtain specific consent or rely on another lawful basis that applies to processing special category data.

International data transfers

In relation to international data transfers subject only to UK GDPR, a new "data protection test" enables the data transferor to consider "reasonably and proportionately" whether the standard of protection in the recipient territory is not "materially lower" than in the UK. This is a divergence from the EU's "essential equivalence" test. In practice, however, little is expected to change, particularly given the welcome news in December 2025 that notwithstanding the divergence in the two tests the EU has renewed (until 27 December 2031) its adequacy decisions allowing the free flow of personal data between the European Economic Area (EEA) and the UK.

Immediate considerations and actions for trustees

Responsibility for complying with data protection laws rests with the trustees as data controller – including the new requirements in relation to handling data protection complaints with effect from 19 June 2026. Of course, in practice, trustees handle very little personal data, with much of it being stored and used by the scheme administrators under a data processing agreement. Administrators are also usually the ones who handle DSARs.

Complaints to trustees are currently dealt with under the scheme's IDRP. Again, scheme administrators are often tasked with dealing with the first stage of an IDRP complaint. Alternatively, IDRP complaints may be dealt with by the scheme's Pensions Manager or the Secretary to the Trustees, a function which may also be outsourced to an external provider.

Given the new requirement to respond without undue delay, trustees should agree who will be responsible for investigating and responding to data protection complaints and consider whether to align this with the person responsible for dealing with IDRP complaints. As with any decision by the trustees to delegate responsibility for performance of tasks relating to the running of the scheme, a decision to delegate its complaints handling procedures to the scheme administrator, pensions manager or scheme secretary (where the trustee is the data controller and the third party is the data processor) will not absolve trustees of their responsibilities as a data controller under data protection law. In the event of non-compliance, the trustees would be liable and accountable for any breach.

To reduce the risk of non-compliance, trustees should:

review existing contractual arrangements with processors to ensure that they include appropriate provisions (including timescales). Where trustees wish to consider delegating investigating and determining certain simple complaints that have resulted in no loss or harm to members to their administrator or pensions secretariat, this will be a risk-based decision for the trustees.
ensure that anyone who may deal with members on behalf of the scheme receives training on how to identify data protection complaints, how to differentiate complaints from DSARs and other complaints relating to the scheme and where a complaint is received, the actions that must be taken. Internal processes should be documented, tested and reviewed from time to time.
update privacy policies and template DSAR responses to make clear that a data subject has the right to make a complaint and set out how to do this.
ensure appropriate written records are kept of the complaint journey.