If you’re a trustee, you might be forgiven for thinking: another data protection requirement? But bear with us, this one is manageable, and for many schemes it won’t require a wholesale rethink of how complaints are handled.

The Data (Use and Access) Act 2025 has introduced a new obligation for data controllers to have a statutory complaints process in place by 19 June 2026.  In simple terms, members must be able to complain about how their personal data is being handled, and trustees must have a clear, accessible way of dealing with those complaints.

What will be required?

The legislation says data controllers must “facilitate the making of complaints”, e.g. by providing a complaint form that can be completed electronically (and by other means too).  Once a complaint is received, trustees must:

  • acknowledge it within 30 days
  • investigate it without undue delay
  • keep the complainant informed about progress, and
  • let them know the outcome.

This doesn’t mean every complaint needs to be resolved within a set timeframe, but it does mean having a structured, transparent process in place.

How does this fit with IDRP?

Some schemes may already deal with certain data protection issues through their IDRP.  However, with these new requirements coming into force, a key question is whether to:

  • integrate data protection complaints into IDRP (with some tweaks), or
  • run a separate data protection complaints process, with its own form and decision-making route.

There’s no one right answer. For some schemes, folding data protection complaints into IDRP may be the simplest option (with appropriate adjustments for the new requirements). Others may prefer a separate route so it’s clearer which issues are benefit‑related and which are data protection‑related, particularly where specialist input may be needed.

A few practical points to think about

With 19 June 2026 not far away, trustees should start thinking about:

  • decision-making – who will have authority to decide data protection complaints
  • process documents – IDRP documentation may need updating, or a new data protection complaints process drafted and published, alongside updates to other data protection documents (e.g. privacy notice, any processes for dealing with data subject access requests and data protection policy)
  • signposting – members need to be told about the new complaints process and where to go next – data protection complaints will go to the ICO, not TPO
  • record‑keeping – trustees should keep a record of data protection complaints, especially as trustees may need to report numbers to the ICO in the future
  • support – consider what input might be needed from administrators, in‑house teams or professional advisers.

The bottom line

Trustees will need a data protection complaints process in place, but for most schemes this should be an evolution, not a revolution. Existing IDRP frameworks can provide a solid starting point. With a bit of planning, trustees should be able to put in place a process that’s complies with the new requirements, is clear for members and workable in practice.