New data protection rules may have gone “under the radar” for some trustee boards, raising concerns about how pension schemes handle potential complaints, according to Zedra.
The professional trustee firm has highlighted a forthcoming change to data protection complaint rules, due to come into force on 19 June under the Data (Use and Access) Act 2025.
The Information Commissioner’s Office (ICO), which oversees data protection in the UK, said the new rules require any organisations handling personal data – including pension schemes – to support users in making complaints. This can be done by providing online forms and other communication methods. Complaints must be acknowledged within 30 days of receipt, and organisations must respond “without undue delay”.
Lauren Shipman, a trustee executive at Zedra Inside Pensions, Zedra’s specialist governance services unit, said the workload to comply with the new rules was “relatively modest” for most schemes. The majority of work is likely to include updating complaints procedures, privacy notices and governance documentation, she explained.
“If complaints emerge later and trustees cannot evidence proper procedures, it could quickly open a can of worms from a governance and reputational perspective.”
Lauren Shipman, Zedra
“However, there is concern that the changes may have gone under the radar for some schemes amid wider regulatory pressures and competing governance priorities, and that some may need to establish new documented complaints-handling processes,” Shipman continued.
“Although modest, this is important governance work that trustees cannot afford to overlook.”
While much of a pension scheme’s data is handled by third parties such as administration providers, Shipman highlighted that responsibility for compliance with data protection rules remained with a scheme’s trustee board.
Trustees need to ensure they have clear procedures and reporting lines in place in case complaints are made and to ensure issues are not escalated to the ICO or the Pensions Ombudsman, she added.
Shipman explained: “If complaints emerge later and trustees cannot evidence proper procedures, it could quickly open a can of worms from a governance and reputational perspective.
“With that in mind, trustees should now be using the remaining time before the rules take effect to review existing data complaints procedures, ensure member-facing privacy notices and governance documentation are updated where necessary, and confirm responsibilities with third-party administrators and processors.”
The Pensions Regulator’s review of administrators, which was completed last year, flagged inconsistencies in how cybersecurity is handled across the sector. It highlighted limited progress on business continuity planning, but also acknowledged that cybersecurity practices more generally were “becoming more robust”.
