New data subject complaints regime: what pension scheme trustees need to know

The Data (Use and Access) Act 2025 (DUAA) introduces a new statutory requirement for all data controllers, including pension scheme trustees, to maintain and operate a formal process for handling data protection complaints from 19 June 2026. Recent ICO guidance provides practical detail on how this regime will operate and what organisations must do to ensure compliance. 

For pension schemes, the new framework sits alongside existing Internal Dispute Resolution Procedure (IDRP) obligations. Trustees will therefore need to understand how data subject complaints (DSCs) interact with other types of complaints and update governance processes accordingly.

Overview of the new complaints requirement

The DUAA creates a right for individuals to complain directly to the controller where they consider that their personal data has been handled in breach of data protection legislation. Organisations must have a compliant complaints process in place by 19 June 2026. The ICO emphasises that there are no exemptions from this requirement. 

The ICO’s guidance sets out what organisations must, should and could do when implementing the new regime, including acknowledgement timescales, investigation standards and expectations around communication. 

For more information on the background to the changes, please see Amanda Leiu’s article which considers: 

• what a data protection complaint is; 

• how organisations should prepare for receiving complaints; 

• what organisations need to do when they receive a complaint; and 

• what practical steps organisations should be taking now. 

The implications of the Data (Use and Access) Act 2025 for pension schemes was a topic that Amanda Leiu and Samantha Howell also explored in this short Pensions Pod episode and in this article on practical steps for compliance. 

Key legal obligations for trustees

The key legal obligations for trustees to be aware of (as data controllers for their pension scheme) are:

• Acknowledgement – trustees must acknowledge receipt of any DSC within 30 days. This is a statutory requirement and marks the beginning of the organisation’s handling period.

• Investigation – trustees must take appropriate steps to investigate the complaint without undue delay. The ICO clarifies that this means as soon as reasonably possible and includes making appropriate enquiries and updating the complainant. 

• Outcome – trustees must provide a clear outcome without undue delay, explaining what was found and any remedial action taken, and informing individuals of their right to escalate to the ICO. 

Interaction with existing IDRPs

The new DSC regime operates in addition to the existing IDRP regime for pension schemes. Although some complaints may contain both data‑related elements and other elements (such as benefit-related elements), trustees must recognise that: 

• A DSC is not the same as an IDRP complaint. It triggers separate statutory duties and timescales.

• IDRP timescales (which typically allow for a formal response within 4 months) cannot be applied to DSCs. DSC responses must be issued without undue delay.

• Trustees and administrators will need to separate issues clearly where a member raises both data protection and pension benefits concerns within the same communication.

• Early identification is essential. Administrators should flag DSCs immediately and apply the correct process.

Next steps for trustees

The key next step is for trustees to review and update their existing IDRP process to incorporate the data subject complaints requirements to ensure their scheme will be complaint with the new regime by 19 June 2026.  

Other actions that trustees should consider taking to ensure compliance include: 

1. Updating scheme documentation: consider whether documents such as privacy notices, member booklets and website content should also be updated to reflect the new regime. 

2. Contact your administrator: ask them to confirm how their processes are being updated to accommodate this change (for example, are their staff being trained to identify a data subject complaint) and whether any amendments need to be made to administration agreements or SLAs to reflect this change. 

3. Training: trustees should consider whether to have training so that they are able to recognise DSCs and direct members to the correct process. 

4. Put in place record‑keeping processes: trustees should maintain comprehensive records of DSCs, steps taken, correspondence issued and outcomes reached.

5. Monitor ongoing ICO updates: The ICO has indicated that guidance will be updated as the regime beds in. Trustees should monitor developments in case additional pensions‑specific clarification emerges.

If you would like support in updating your IDRP or with any of the other steps that trustees should be considering, our team can assist you. Please do not hesitate to get in touch with Samantha Howell, Amanda Lieu or your usual Burges Salmon contact. 

This article was written by Ben Jonsmyth and Samantha Howell.