Pensions

Data beneath the Dashboard

Key data considerations for connecting to Pensions Dashboards

Pensions dashboards – which aim to give members a free and comprehensive view of their pension savings in one place – should feature high on trustees’ agendas, with connection deadlines for many now fast approaching.

However, punctuality is not enough. Trustees must also address the data protection and cyber security risks presented by their schemes’ connection to dashboards.

We have seen pension schemes being increasingly targeted by cyber-attacks. As data controllers under the GDPR, trustees remain ultimately responsible for their members' personal data. And with dashboards, there’s a lot of data – relating both to the members themselves and their benefits. Trustees therefore need to ensure their standards are robust, and that data transfers between them and the dashboards will be effective, secure and compliant.

What should trustees be doing?

Now is the time for schemes to proactively review and revise their existing data protection security processes, practices and documentation to ensure that they are up to date and adequate. The risk of a data breach can never be eliminated entirely, but having adequate data security standards, processes, and documentation in place will effectively minimise the risk of a data breach and its severity should one occur.

Regularly reviewing and updating these are also essential for trustees’ compliance with its legal data protection obligations.

Third Party Reviews

Appropriate due diligence, including the cyber security standards in place, should be carried out on third parties which could handle the scheme's data.

Contracts

Contracts for dashboards services – whether with the scheme's administrator or a newly appointed provider – must be carefully reviewed to ensure that data protection and cyber security provisions are robust and sufficiently reflect the risk.

If an Integrated Service Provider (ISP) is being used, trustees must interrogate their ISP's internal cyber risk controls and data processing practices. Adequate terms must be in place prior to any transfer of data.

Privacy Notices

These should be reviewed to ensure they cover the sharing of members' personal data with dashboard providers and administrators/ISPs (including what personal data is processed, the legal basis for processing, and which third parties have data access).

Data Protection Policy

This should be reviewed to ensure its contents remain fit for purpose and reflective of how data is handled and protected in practice.

Data Breach Policy

This should be reviewed and updated to reflect the process which the trustees will follow in the event of a data breach relating to the dashboard.

Cyber Security Policy

This should be reviewed to ensure it will continue to set out the scheme's cyber security practices and standards.

Records of Processing Activities

This internal document should be reviewed and updated to ensure it reflects the scheme's current data processing activities.

Data Protection Impact Assessments (DPIAs)

These help trustees assess and mitigate risks from a data processing activity. DPIAs are mandatory under data protection law when the processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purpose of the processing.

Speak to us for advice on whether your scheme should produce a DPIA before connecting to dashboards.

Consequences of inadequate documentation

Without proper processes and documentation, trustees risk:

non-compliance with legal data protection obligations;
being victim to successful cyber-attacks;
breaches of personal data and other confidential information;
exposing members to significant personal harm;
receiving claims from affected individuals;
regulatory enforcement action by TPR or the ICO; and
reputational damage.

Beyond connection, TPR has issued a recent blog urging trustees to get their ‘data house in order’.

How TLT can help

TLT’s Pension experts can advise on dashboard requirements, including helping trustees integrate dashboard compliance into their internal controls and broader cyber resilience strategies. This in turn supports schemes in meeting TPR’s General Code requirements. Our approach ensures dashboard implementation strengthens rather than compromises your scheme's data protection framework.

TLT’s Data Protection experts can provide specialist support and guidance regarding your current data protection processes and documentation, flagging any gaps, and helping you to close them, with an eye on how the implementation of the pensions dashboard will affect this.

Authors: Ellie Taylor, Flora Ragless-Green and Tomos Davies

No items found.

Date published

11 Sep 2025