Eversheds Sutherland | Lorna Doggett | Stuart Earle | John Inglese

United Kingdom

The UK’s data and marketing laws are being updated by the new Data (Use and Access) Act 2025 (the “Act”). The Act weighs in at a hefty 276 pages and is coming into force gradually over the coming months – a few provisions are already in force.

We take a look below at the key changes relevant to pension schemes and then suggests initial steps you should take to prepare.

What are the key data law changes relevant to pension schemes?

  • Data Subject Access Request (“DSAR”) updates. Scheme members have the right to ask for personal data held about them through a DSAR. DSARs are quite common for pension schemes and their administrators. The new law clarifies that the data subject is only entitled to a copy of their personal data based on reasonable and proportionate searches. This enshrines what the Information Commissioner’s Office (“ICO”) has said for a long time in its guidance. It also codifies the “stop the clock” concept, enabling organisations to pause the response time – without the risk of missing the deadline – if they need data subjects to clarify or refine their requests or to provide more information. Once the organisation has the information it needs, the clock starts again. The ICO plans to issue updated guidance later this summer
  • A new right for data subjects to complain to the organisation – with strict timescales and requirements for responding. Individuals will have the right to complain to the data controller (normally the trustees or provider) if they believe there has been an infringement of the UK General Data Protection Regulation (“UK GDPR”). The scheme will have to take steps to enable individuals to make these complaints, for example by providing an online complaint form in a member portal. Schemes must then acknowledge these complaints within 30 days, investigate and inform the complainant of the outcome without undue delay. If schemes or their administrators get this wrong there is a risk of fines (at the highest tier, up to £17.5 million) and data subjects can also apply to the Courts for compensation if they can prove they suffered distress or financial loss from the infringement of their rights. There is a potential risk here of spurious or vexatious complaints. ICO guidance about this is due in winter 2025
  • Changes to legitimate interest rules. There is a new lawful basis for using personal data, called “recognised legitimate interests”. Safeguarding a vulnerable individual (which could be relevant to vulnerable scheme members) is one example of this. Some other legitimate interests are now set out in law. For example, direct marketing can potentially be a legitimate interest. This could be relevant to commercial pension schemes, which may wish to use member data for marketing. Note that in 2024 the ICO, Financial Conduct Authority and Pensions Regulator issued joint guidance which clarifies that regulatory communications are different to direct marketing communications and so do not require direct marketing permissions. These can include, for example, communications to remind members of the option to consolidate pension pots and factually describing the details of different retirement and decumulation options
  • New “compatible purposes” annex. The basic principle of “purpose limitation” under UK GDPR is that personal data must be collected for a specified, explicit and legitimate purpose and must not be processed for a new purpose which is incompatible with the initial purpose. The Act restructures and adds detail to this – it contains two new sets of rules and a new “annex of processing which is to be treated as compatible”. If a scheme or its administrator wishes to use personal data for a new purpose (i.e. one other than the purpose for which it was originally collected), this could be relevant. The overall approach and analysis in respect of this would need to be considered on a case by case basis
  • Special category personal data. Special category data is personal data that receives more legal protection because it is sensitive. It includes health data and sexual orientation data (including knowing the name of a spouse or partner which indirectly reveals sexuality). This is of course highly relevant to pension schemes. The Secretary of State will have new powers to make regulations adding more types of special category personal data to the UK GDPR. This means the tighter special category data rules schemes are familiar with might in future extend to more data – watch this space for updates
  • International data transfers. There are some simplifications and clarifications in the Act. These include confirmation of the requirement to undertake a transfer risk assessment for transfers subject to appropriate safeguards and clarification that the exporting controller or processor is expected, acting “reasonably or proportionately”, to consider whether a new “data protection test” is met. This test changes the standard of protection required for transfers approved by regulations from the previous “adequacy” wording that has been the subject of so much case law to a standard that “is not materially lower” than the standard of the protection provided under the UK GDPR and Data Protection Act 2018
  • New ICO powers. The ICO is getting additional enforcement powers. These include the ability to require an organisation to produce documents or prepare reports on a matter. Like the Pensions Regulator, the ICO will also be able to compel an individual (such as a trustee) to attend an interview in person and answer questions where it believes there has been serious non-compliance
  • ePrivacy fines. The ICO’s enforcement powers under the Privacy and Electronic Communications Regulations (“PECR”) – the law relevant to cookies and email/other electronic marketing – are being expanded. The maximum fine for breaches of PECR is increasing to £17.5 million (for pension schemes and other organisations that do not have turnover) or 4% of annual worldwide turnover

What’s the key takeaway?

To summarise, UK data protection laws have been modernised and simplified, with some important new changes, which are due to come into force gradually over the coming months. Much of this is relevant to the day-to-day administration of pension schemes and changes to schemes’ procedures may need to be made as a result.

What action should I take?

Trustees and providers should consider with their administrators whether any changes are needed to current data privacy processes, particularly in relation to updated DSAR procedures and the forthcoming new “right to make a complaint”. Ask your administrators to confirm they are aware of the new right and the 30 day deadline for responding. Think about how the complaints handling process will work. Also watch out for news on any potential new types of special category data.

On a related note, most schemes will have to review and update their data privacy notices and other documents because they will need to share member data with pensions dashboards. In addition, the Pensions Regulator and the ICO have suggested that they expect specific dashboards Data Protection Impact Assessments (“DPIAs”) to be carried out – this is different to the administrator’s own DPIA. If you haven’t done that dashboards update yet, this is a timely reminder to do so. Remember, the law says your data protection documents should be kept up to date.

To find out more about the new Act, listen to our recorded webinar or read our detailed briefing.

This article first appeared on Lexology | Source