Data protection complaints procedure – key actions for pension scheme trustees

From 19 June 2026, all pension scheme trustees will be required, as data controllers, to have a process in place for the handling of data protection related complaints.

Trustees will need to amend their existing complaints handling processes to ensure that they comply with the new statutory requirements.

We take a look below at the key requirements and the practical steps trustees should be taking now.

Background

The Data (Use and Access) Act 2025 requires all data controllers (including trustees) to have a process in place by 19 June 2026 for the handling of data protection related complaints. The complaints process must comply with certain requirements (which are summarised below).

The ICO has issued accompanying guidance to assist data controllers in complying with the new obligations: How to deal with data protection complaints.

Complaints from data subjects to trustees could relate to matters such as:

• How data has been collected and processed by the trustees
• The security measures and controls the trustees have in place in relation to personal data, or
• How the trustees have responded to a data subject access request.

Trustees may be tempted to use their existing Internal Dispute Resolution Procedure (IDRP) to deal with these new requirements. Yet as the statutory timescales for responding to a data protection complaint differ from those under the scheme's IDRP, in practice we would recommend that a separate complaints handling procedure is adopted. Typically this will be achieved by:

• Amending the trustees' existing data protection policy to set out their data protection complaints handling procedure
• Amending the trustees' existing privacy notice to inform data subjects of their new right to complain, and
• Adopting a new standalone complaints form for data protection related complaints.

Key requirements for the new data protection complaints procedure

The key requirements underpinning the new complaints procedure include the following:

• Firstly trustees should inform data subjects of their right to complain if they consider that there has been an infringement of the data protection legislation in connection with their personal data. This can be documented in the trustees' privacy notice.
• Trustees will also need to remind data subjects of their right to complain when responding to a data subject access request (DSAR).
• Trustees must facilitate the making of complaints by taking steps such as providing a complaint form which can be completed electronically and by other means. The accompanying guidance from the ICO suggests that this requirement can be fulfilled by hosting a complaint form online, which can then be completed and emailed to the data controller.
• Importantly, whilst trustees can invite data subjects to complete a complaint form, the ICO guidance notes that there is no obligation for them to do so and they may complain in any way they choose (including through other channels). Trustees should address such complaints in the same way as those received via a designated complaint form.
• Trustees must acknowledge receipt of a complaint within a period of 30 days (including bank holidays and weekends) beginning when the complaint is received.
• If trustees are joint data controllers with another party (e.g. scheme administrator or actuary) and they receive a complaint addressed to both parties, appropriate arrangements should be put in place with the third party for responding to such a complaint.
• Trustees must both investigate the complaint and inform the data subject of the outcome "without undue delay" (which the ICO interprets as meaning "without unjustifiable or excessive delay"). This obligation runs from the date the complaint has been received, rather than after the 30-day acknowledgement period.
• Trustees should keep the complainant updated on the progress of the investigation (e.g. keeping the complainant up to date with timeframes and explaining any delays).
• Once the trustees have completed their investigations, they should let the complainant know the outcome of the complaint (including the conclusion reached and any steps or actions the trustees have taken to resolve the complaint). Where the trustees have complied with data protection law, this should be explained to the complainant.
• There may be instances where the trustees are responding to a data protection complaint as part of a wider complaint about other issues. If the trustees can inform the complainant of the outcome to the data protection complaint sooner than they provide an outcome to the other issues, they should do so.
• Trustees should keep a record of the date they received the complaint, the trustees' acknowledgement of the complaint, any relevant conversations and documents, the outcome of the complaint and any actions taken as a result of the investigation into the complaint. Any personal data should be retained in line with the trustees' privacy notice.

Key actions for trustees

1. Update the data protection policy, setting out the trustees' data protection complaints handling procedure.
2. Amend the privacy notice to inform data subjects of their right to complain.
3. Adopt a new standalone complaints form for data protection related complaints and host the form on a publicly available website (alongside the privacy notice).
4. Ensure that a process is in place to deal with complaints made jointly to the trustees and a third party (e.g. scheme administrator or actuary).
5. Update processes to ensure compliance with timescales in acknowledging, investigating and responding to a compliant and record keeping requirements.
6. Update DSAR process to include a reminder that the data subject has a right to complain.
7. Ensure that trustees (and scheme administrators) are trained to recognise a data protection complaint and comply with the new requirements.

If you require assistance in complying with these changes or if you wish to discuss your scheme more generally please get in touch with your regular pension team contact.