The Act makes it easier for organisations (including scheme trustees) to use automated decision-making under UK General Data Protection Regulations (UK GDPR), while still protecting people’s personal data and rights.
The changes will be phased in over a period of 12 months between June 2025 and June 2026.
What data protection laws does the Act change?
The DUAA amends, but does not replace, the UK GDPR, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
What are the key changes affecting pension schemes?
Data Subject Access Requests (DSARs) – the rules clarified
As all trustees will be aware, scheme members have rights in relation to their data, including a right to ask what data is held about them via a DSAR. The DUAA includes some helpful amendments to the UK GDPR to codify existing regulatory guidance on DSARs. The amendments confirm that trustees (data controllers) only need to make a ‘reasonable and proportionate’ search for data in response to a request.
Trustees have a one-month deadline to respond to a DSAR. They will now have the ability to “stop the clock” on DSAR response times while waiting for the data subject to clarify the information they are seeking where it is unclear. Although this is a formal change, the ICO has in effect been applying this for some time in their guidance, but it has now been formally addressed. This may be useful if any complex requests are made by scheme members in relation to historical information.
Formal complaint handling requirement
The DUAA introduces a new requirement for data controllers to have in place a mechanism to facilitate member (data subject) complaints. If members are concerned that the way their information is used breaches data protection legislation, data controllers must ensure such a complaint is acknowledged within 30 days and responded to ‘without undue delay’.
Further data processing - new use of personal data remaining compatible with its original purpose
UK GDPR requires personal data to be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
The DUAA makes some changes to when a ‘new’ use of personal data should be treated as ‘compatible’ with the original purpose for which it was collected.
Trustees can now reuse member data—for example, for Pension Dashboard connection, member tracing, or actuarial analysis—without triggering a need for a new compatibility assessment, provided the new use of data aligns with a legitimate purpose.
These changes are particularly helpful for trustees in relation to connecting to and processing personal member data via Pensions Dashboards and will reduce the need for data compatibility tests to be undertaken by schemes.
Changes to transfers of personal data to third countries
The DUAA provides greater clarity on how the UK Government will determine if a country has adequate data protection standards. This clarity aims to ensure personal information can flow more easily to countries that offer the same level of protection as the UK and the UK may approve data flows to a wider range of countries.
The previous "essentially equivalent" test has been changed to a "not materially lower" test. Meaning that the level of data protection for a data subject in a country outside the UK must not be materially lower than that provided under UK GDPR and the Data Protection Act 2018 for the transfer to be allowed.
However, when transferring personal data outside the UK the following will still be taken into consideration in assessing whether the “not materially lower test” is satisfied:
- The country of destination has an adequacy decision.
- Appropriate safeguards are in place (e.g. UK Standard Contractual Clauses (SCCs), or
- Explicit consent is given.
In this context, we are pleased to advise that Cartwright’s policy is still to approach any overseas transfer of personal data with great circumspection and ensure that the rights of data subjects remains a priority.
Automated decision-making (ADM)
Under GDPR, automated decision-making refers to decisions made solely by automated means—without human involvement—that have legal implications or significant effects on individuals.
Decisions can only be made based on ADM in three limited situations, namely, where the use of ADM is:
1. necessary for entering into, or performance of, a contract between the data subject and a data controller;
2. required or authorised by domestic law which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
3. based on the data subject's explicit consent.
In the context of pension schemes therefore, ADM is relevant when processing personal data automatically to make decisions affecting an individual’s pension rights or outcomes.
For Defined Benefit schemes ADM rarely applies because benefit entitlements are typically calculated based on scheme rules (e.g. accrual rates, service, salary) and calculations are reviewed and signed off by humans (administrators, actuaries, trustees).
An example of ADM relating to a Defined Contribution scheme could be a Lifestyle default arrangement where automatically members are placed into an investment strategy based on their age, contributions, or retirement date, without individual consent or human input.
The DUAA relaxes the rules around automated decision-making (ADM), facilitating the responsible use of automation to “help grow the economy and enable a modern digital environment that enhances productivity and makes people’s lives easier”. This applies to personal data that doesn’t involve “special category data” (e.g. sensitive data such as that relating to race, ethnic origin, political opinions, health, sexual orientation or religious beliefs).
This means that automated data processing systems can be used more freely—without requiring a separate legal basis.
Of course, safeguards still apply, such as:
- Providing individuals with information about any significant decisions made about them.
- Enabling individuals to make representations about and challenges to such decisions.
Expanded ICO powers
The Information Commissioner’s Office (ICO) the UK’s data protection regulator, will become the Information Commission and gain new powers, including being able to issue higher (GDPR level) penalties for marketing and cookie infringements and now has greater ability to:
- compel witnesses to attend interviews
- gather data records for investigations
- increase fines for breaches.
Our thoughts and trustee next steps
Most of the changes offer trustees an opportunity to do things slightly differently to comply with the law, rather than make major changes to current processes in place.
We recommend all scheme trustees review and update their Data Protection policies and procedures. They should also revise Privacy Notices for all scheme members. This will have to be done in respect of any active or deferred members before a scheme is connected to the Pensions Dashboard.
Cartwright can assist their clients in this regard, but we further recommend trustees seek legal advice, as they consider necessary, in relation to how the changes under the DUAA may affect their particular scheme.
Here’s a quick summary of trustee actions:
