Pension scheme trustees have been urged to ensure they comply with a new law requiring a data protection complaints process ahead of its introduction next month (19 June), after Zedra warned the changes may have gone “under the radar” for some schemes.

The Data (User and Access) Act 2025 (DUUA) applies to all organisations acting as data controllers, including trustees.

The act, which received Royal Assent last year, introduced several changes to how pension schemes handle and share data and is aimed at improving transparency and giving members better access to their information.

Under the new regime, schemes must ensure members are able to raise data protection complaints directly, that complaints are acknowledged within 30 days, and that they are handled appropriately and without unnecessary delay.

Zedra Inside Pensions trustee executive, Lauren Shipman, said that, for many pension schemes, meeting the new requirements would involve only limited changes, such as updating existing complaints procedures, privacy notices and governance documents.

“However, there is concern that the changes may have gone under the radar for some schemes amid wider regulatory pressures and competing governance priorities, and that some may need to establish new documented complaints-handling processes," she noted.

She added that “although modest, this is important governance work that trustees cannot afford to overlook”.

Ultimately, Shipman said, accountability rests with trustees, and this can create “potential governance and oversight risks” where responsibilities, procedures and reporting lines have not been clearly reviewed.

She encouraged trustees to ask administrators to confirm what changes have been made and whether governance arrangements remained compliant.

She added that if left unaddressed, these issues could increase the risk of complaints escalating to the Information Commissioner’s Office (ICO), the Pensions Ombudsman or wider governance scrutiny.

“If complaints emerge later and trustees cannot evidence proper procedures, it could quickly open a can of worms from a governance and reputational perspective,” she concluded.

---