From 19 June 2026, trustees need to meet new requirements to have a data protection complaints process under the Data Use and Access Act 2025.
Trustees can choose to retain their current internal dispute resolution procedure (IDRP) and create a separate complaint process and complaint form specifically for complaints relating to data protection, or incorporate the data protection complaints process into their existing IDRP.
However, trustees should be aware that different requirements apply under the new data protection complaints regime as compared to the existing IDRP regime, and each have different escalation routes (one to the Information Commissioner’s Office and one to the Pensions Ombudsman). If trustees decide to incorporate the data protection complaints process into their existing IDRP, they will need to ensure the requirements outlined below in relation to data protection complaints are met.
What are the new data protection complaints requirements?
From 19 June, new requirements will apply in relation to complaints about data protection. This could include complaints about the way trustees have responded to a subject access request, the security measures trustees have used to store personal information, or how trustees have collected or used personal information.
Data protection law requires trustees to:
- give people a way of making data protection complaints, such as providing a complaint form that people can submit either electronically or in writing, or providing an email address for people to submit complaints to;
- update the scheme’s privacy notice to provide details of the right to make data protection complaints to the trustees;
- acknowledge receipt of complaints within 30 days of receiving them;
- without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; and
- without undue delay, tell people the outcome of their complaints.
There may be cases where a data protection complaint forms part of a wider complaint about other issues relating to the pension scheme. If trustees can provide an outcome to the data protection complaint sooner than the other issues, trustees must do this, as waiting to deal with all the issues at once without justification could cause an undue delay.
What steps should trustees take now to ensure compliance?
We recommend that trustees take the following steps before 19 June:
- Document a data protection complaints process, setting out the method chosen for receiving complaints, and explaining that the trustees will acknowledge complaints within 30 days, keep people informed of progress, and explain the outcome. This can either be a separate complaint process and complaint form specifically for complaints relating to data protection or form part of the existing IDRP.
- Update the scheme’s privacy notice to (i) meet the new legal obligation to inform people about the right to make data protection complaints and (ii) provide details of how to make data protection complaints.
- Provide details of the data protection complaints process (or amended IDRP) and the updated privacy notice in newsletters, via online portals or in other routine communications sent to members.
- Ensure the new data protection complaints process is shared with the scheme administrator. Trustees should ensure administrators are aware that specific requirements apply to data protection complaints (particularly where the process is incorporated into the existing IDRP and may be more easily overlooked), and consider agreeing new service standards with the administrator.
For further information, please contact:
Claire Collier, Linklaters
claire.collier@linklaters.com
