Pension trustees will soon have to comply with a 30-day timeframe in responding to data complaints from members. Administrators will need to recognise and separate out data complaints on any ‘reasonable’ channel – including social media and live chats. 

The rules coming in as part of the Data (Use and Access) Act 2025 apply from 19 June to all organisations that act as data controllers. It means that a data protection complaint must be acknowledged within 30 days and responded to without ‘undue delay’. 

This short deadline raises a host of new challenges for trustees and administrators. One of them is that administrators or trustees might not recognise a data complaint as such when it first arrives. The 30-day countdown starts from the moment a complaint is received, but a complaint could be hidden in a routine service query, says Elaine Hiles, a senior knowledge lawyer at Norton Rose Fulbright.

“If a complaint sits in a shared inbox for a week, that time is already lost,” she warns. 

But a similar risk arises where a complaint is handled through the internal dispute resolution procedure, which often have longer response periods. An IDRP complaint could include a data issue without labelling it as such, said Hiles. 

There is also a danger that complaints are missed because of where they are made. Hiles urges trustees to watch out for complaints coming through ‘unofficial’ channels, as the legislation requires them to accept complaints received through any reasonable channel. 

“This includes through social media where the organisation has an online presence,” she said, warning that trustees cannot rely on members using an online form or a particular email address.  

With less than a month to go, there is not much time left to prepare where turstees have not done so yet. Hiles said schemes should have clear processes with administrators and any other relevant parties so that complaints can be handled within the new timeframes. 

“This may mean reviewing administrator contracts and service levels. Where there are joint controllers, it should be agreed who does what and how deadlines will be met in practice,” she advised. 

IDRP workflows should be tested, she added, to ensure that data complaints will be spotted. Training will also be important to ensure that trustees, administrators and others who deal with member contacts can recognise a data complaint when it arises, she said. In addition, scheme documentation will likely need to be updated.

As the first point of contact for scheme members, the heaviest burden will fall on administrators.

“Staff will need to distinguish between data complaints and other types of requests, such as subject access requests. This applies across all contact channels, including where staff may not expect to handle data complaints, for example online live chats – whether this be with an individual or an AI chat assistant,” Hiles pointed out.

Administrators might also find that complaint volumes increase. “Currently, some members go straight to the [Information Commissioner’s Office]. Under the new approach, members will usually be encouraged to raise complaints with the trustee first. Administrators should review their resourcing and capacity in light of this shift,” she recommended.

For many pension schemes, the work required to comply is relatively modest, believes Lauren Shipman, a trustee executive at Zedra Inside Pensions, involving updates to existing complaints procedures, privacy notices and governance documentation.

“However, there is concern that the changes may have gone under the radar for some schemes amid wider regulatory pressures and competing governance priorities, and that some may need to establish new documented complaints-handling processes. And although modest, this is important governance work that trustees cannot afford to overlook,” she said.

Shipman urged trustees to seek confirmation from their administrators on what changes have been made and whether governance arrangements remain compliant.

“If these issues are not addressed, it could increase the risk of complaints escalating to the Information Commissioner’s Office, the Pensions Ombudsman, or broader governance scrutiny,” she said. “If complaints emerge later and trustees cannot evidence proper procedures, it could quickly open a can of worms from a governance and reputational perspective.