Data controllers, which in the context of pension schemes, may include pension scheme trustees, administrators, the employer or third parties, are now required to have a process for handling data protection complaints. There are no exemptions to this. Following the coming into force on 19 June 2026 of the relevant provisions of the Data (Use and Access) Act 2025 that introduced this requirement, we highlight the key points.
In summary, data controllers must:
- Give people a way of making data protection complaints, including providing a complaint form which can be completed electronically and by other means.
- Acknowledge receipt of complaints within 30 days of receipt (starting the day after the complaint is received), including weekends and bank holidays.
- Without undue delay, take appropriate and proportionate steps to respond to complaints, including making appropriate enquiries, and keep people informed.
- Without undue delay, tell people the outcome of their complaints.
- Tell people they can complain to the Information Commissioner’s Office (ICO), shortly to become the Information Commission. Complainants do not have to wait for the outcome of their complaint to complain to the ICO.
Why?
If someone considers that their personal data has been mishandled, they can complain to the data controller. The complaint can be about how data controllers have handled their personal information (or the personal information of someone on whose behalf they are acting). This could include complaints relating to the handling of requests for information, security measures used for data, or more broadly how an organisation has collected or used their personal information.
The new process is intended to make things easier for complainants.
What does this mean for data controllers?
Pension scheme trustees and other data controllers should ensure they are aware of the new requirements and implement a procedure for data subjects to submit complaints.
- Prepare a data protection complaints policy to ensure obligations and timeframes are met. It is not essential for this to be written but a written policy will be helpful for everyone’s clarity. While not essential, it is also recommended that organisations have a mechanism for reviewing their own decisions, if asked to do so by complainants.
- If there are joint controllers and processors involved, consider who is responsible for dealing with data protection complaints.
- Update public facing information, on websites for example.
- Consider how to deal with vague complaints made via social media or even verbally (as complaints do not need to be in writing).
- Consider reviewing the privacy notice to ensure members are aware of the complaints process.
- Consider whether any service agreements with administrators need to be updated.
- If organisations have internal procedures for staff to follow when they receive a complaint, they are not expected to publish these externally.
- Signpost the complainant to the right route for the next step: data issues go to the ICO; pensions issues go to the Pensions Ombudsman.
- Keep records to evidence compliance whilst being mindful personal information should be kept no longer than necessary.
- Align the data protection complaint process with the existing dispute resolution process.
- Ensure the data protection complaint is identified (as the complainant might not label it as such), so it can be dealt with in accordance with data protection complaint deadlines. To assist with this, consider asking complainants what outcome they are seeking.
The new regime requires data controllers to separate data protection-related complaints from other types of complaints. It might be tricky to distinguish a data protection complaint from a subject access request or expression of general dissatisfaction. The ICO guidance contains examples of data protection complaints which may be helpful with that analysis.
What’s next?
In the future, legislation may be introduced that requires organisations to tell the ICO how many complaints they receive within a given period. There is no requirement to do this yet, but the ICO suggests organisations may wish to record the number of complaints they receive, as well as recurring trends and themes to help them improve.
In the future, the ICO might provide templates for data controllers to use in responding to complainants.
If you need any assistance with updating your privacy policy, formulating a data protection complaints process, revising your existing Internal Dispute Resolution Procedure, or reviewing third party service agreements to deal with the issues raised in this briefing, please get in touch.
Explore more insights
Articles 18 June
Personal profiles, professional insights: Tatiana Young
Tatiana Young knows first-hand that immigration isn’t just a legal process – it’s a deeply personal journey. Read…
Events 05 June
Preventing sexual harassment at work
Blake Morgan has partnered with the Suzy Lamplugh Trust to run a series of training sessions on preventing…
Articles 03 June
EHRC draft Services Code of Practice laid before Parliament
What is in the Equality and Human Rights Commission’s (EHRC) updated draft Services Code of Practice? We look…

