UK data protection: new requirements for pension scheme trustees for data protection complaints

The requirements

Under the Data (Use and Access) Act 2025 (DUAA), data controllers, such as trustees, must, with effect from 19 June 2026:

• Give people a way of making data protection complaints. The submission process can be done electronically or in writing (for example, by making an on-line complaints form available – although an on-line form is not compulsory);
• Acknowledge receipt of complaints within 30 days of receiving them;
• Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keeping people informed. The ICO guidance suggests that, in practice, this will involve keeping the complainant up to date with timeframes and explaining any delays, rather than informing them of the steps taken so far;
• Without undue delay, tell people the outcome of their complaints; and
• Inform individuals of their right to complain (this can be done via data protection privacy notices) – and when responding to data subject access requests (DSARs).

Meaning of "undue delay"

The ICO Guidance defines "undue delay" as being "without an unjustifiable or excessive delay", noting that this will "always" depend on the circumstances, which will vary from one complaint to another and one organisation to another. The ICO Guidance notes that "the important thing is to consider all the circumstances of the complaint, not to apply a set period of time as a blanket approach".

The ICO Guidance sets out a non-exhaustive list of the factors which may impact the time taken to investigate a complaint:

• The complexity of the issue;
• The scale of the issue (such as whether it is a singular complaint about a recent issue, or a complaint about a number of issues over a longer time period); and
• Any harm that the complainant is suffering as a result of the unresolved issue.

What is a data protection complaint?

Any individual whose data is processed by trustees (such as scheme members and potential beneficiaries) can make a complaint if they consider that trustees have infringed data protection legislation because of the way their personal information has been handled.

Examples would include complaints about:

• Responses to DSARs;
• Data security measures;
• Data collection or use (such as the length of time data is kept or its accuracy).

The data protection complaint does not have to be labelled as such by the complainant and does not have to be made via the scheme's designated procedure or portal; for example, the ICO Guidance notes that a complaint can be made via social media, where an organisation has an on-line presence. If it qualifies in substance as a data protection complaint, it will be subject to the new requirements.

What should the data protection complaints process look like?

Trustees may choose to integrate their data protection complaints process with their internal dispute resolution procedure (IDRP). However, trustees will need to ensure that the requirements of both processes (such as the different deadlines and requirements to keep complainants informed) are met, within the single procedure.

Alternatively, trustees may choose to operate a separate procedure, in parallel with the scheme's IDRP.

It will also be important for front-line administrators to be able to identify data protection complaints. This may not be straightforward, as a general member complaint about benefits might also contain data protection elements. Trustees, together with their administrators, should consider how these "consolidated" complaints should be dealt with.

However, it is worth noting that not every data protection element of a more general complaint will be subject to the new requirements. The ICO Guidance distinguishes between a complaint and the exercise of data protection rights. For example, if a member makes an IDRP complaint about their benefits and at the same time raises a DSAR – this will not qualify as a data protection complaint. The ICO Guidance suggests that, where it is uncertain, the data controller should ask the complainant to clarify their position.

The ICO Guidance sets out the complaint records which should be kept by data controllers (for example, the date of receipt, acknowledgement, etc). Any new process should state how these records should be kept.

Next steps for trustees

By 19 June 2026, trustees will need to:

• Design a data protection complaints process, including consideration of whether to adapt the scheme's existing IDRP to include data protection complaints;
• Consider what/whether processes should be in place to ensure that a data protection complaint can be identified. This may include additional training for administrators;
• Update the scheme's privacy notices and DSAR responses, to include the right to complain;
• Update other member-facing documents in relation to complaints, as appropriate, such as the IDRP; and
• Ensure a mechanism is in place to facilitate data protection complaints (such as an on-line form).

Authored by Susanne Wilkins.