The Pension Minister’s 8 June statement reaffirmed that more time is required for the Pensions Dashboards Programme (PDP) to deliver the dashboards digital architecture. To that end, scheme connection deadlines are to be revised and will be set out in guidance (to be consulted on later this year) rather than in legislation. A mandatory connection deadline of 31 October 2026 will be included in amended legislation as an ultimate backstop.

It might be tempting for trustees, pension managers and other stakeholders to see this delay as a reason to focus on other issues and defer getting “connection ready”. However, the extra time provides a crucial opportunity to make progress with dashboard readiness projects and with other connected issues.

The case for acting now

There are many reasons why trustees, managers and other stakeholders should avoid adopting a “watching brief” whilst the revised connection timeline is established.

• The “known knowns” regarding what is required to get “connection ready”: The key administrative, technical and legal issues to tackle are widely acknowledged and are not expected to change despite the revised staging timeline;
  
  
• Clear regulator expectations: The Pensions Regulator’s (TPR) initial pensions dashboards guidance, and its recent call for trustees to be prepared, confirm that TPR expects trustees to utilise the extra time and to be taking steps already. TPR’s draft compliance and enforcement policy is also clear that TPR is likely to take robust enforcement action where there has been wilful or reckless non-compliance, schemes have inadequate internal controls, or an insufficient audit trail has been kept of the steps taken to prepare to comply with dashboard duties.
  
  The Information Commissioner’s Office (ICO) expects schemes to adopt a “data protection by design and default” approach. ICO has highlighted that trustees will be required to undertake (or update) a Data Protection Impact Assessment in relation to dashboard data activities and that it is “vital schemes are doing what they can to improve the accuracy of the data”. It also expects meaningful privacy information to be provided to members and that trustees will consider data minimisation when setting their matching criteria;
  
  
• The scale of the project: Several schemes and administrators have made substantive progress with their dashboard projects, but the industry acknowledges that a lot more needs to be done for dashboards to become a reality. Trustee risks will increase if schemes and stakeholders do not engage with “the significant work involved to comply with...dashboard duties” (TPR) and the “huge amount of preparation work required” (PASA). Acting now, and having a clear project plan, will help trustees to manage costs, allow time for negotiating amended service terms, and avoid capacity crunches as deadlines approach.
  
  
• Related risks and requirements: Dashboards are just one of several current drivers for trustees to focus on scheme data and on ensuring that their data and cybersecurity policies, controls, and liability protections are appropriate. Others include: 
  • The importance of data quality and accuracy for Guaranteed Minimum Pension (GMP) equalisation exercises and for schemes that may be nearing a bulk annuity transaction;
  • Enhanced internal controls requirements under TPR’s upcoming General Code and relevant legislation, which include a “cyber controls” module and direct expectations on schemes “to include measures to reduce cyber risk”;
  • The increased threat of cyber-attacks for pension schemes and service providers, as evidenced by a recent cybersecurity incident involving a large UK based outsourcing provider who provides pensions administration services; and
  • The nature and scale of “worst case scenario” risks in relation to dashboard compliance, data protection breaches and cyber-attacks e.g. TPR penalties of up to £50,000 for each individual dashboard duties breach, ICO fines of up to £17.5 million, and significant reputational damage.
    
    
• The wealth of resources available to help trustees and administrators tackle key issues: Industry bodies like the Pensions Administration Standards Association (PASA) have issued guidance to help schemes address common issues including data accuracy, data matching and providing data values, with more support on the way. TPR has also produced a dashboards preparation checklist.

How can early legal input support your project?

To meet their dashboard duties, it is critical for trustees and managers to ensure that scheme data is accurate and digitally searchable. As a priority, trustees will therefore need to engage with their administrators, or an independent data audit and controls specialist, to look at validating data accuracy so that they will be able to match members with their benefits. However, well-managed and pragmatic dashboard compliance projects will also use early collaboration between scheme stakeholders and advisers to boost efficiency. Information and knowledge sharing will be important, for example: 

• Because the accuracy and quality of scheme data will influence the trustees’ matching policy and will impact on related legal risks and risk mitigants; and
  
  
• Legal advisers will need to understand the new data activities which will be taking place to ensure that policies and service terms are accurately papered and meet data protection requirements.

Involving legal advisers from the outset can have several time and cost benefits and should help avoid surprises as schemes near their connection deadline. Early legal input which could be valuable includes:

• An assessment of your scheme’s current data protection and cybersecurity policies, procedures, and liability protections to establish your baseline compliance position and to identify “gaps” relating to new data activities, updated legal requirements and regulator expectations, and the evolving threat of cyber-attack;
  
  
• Trustee training regarding legal dashboard duties and key data protection and cyber risk considerations;
  
  
• Rule reviews to identify benefit features and types which could create challenges when trustees come to decide how to meet dashboard value data requirements regarding accrued value and estimated retirement income; and
  
  
• Support with project management and documenting an appropriate audit trail of the steps taken to get “dashboard ready”.

Please contact Adam Carruthers if you would like to discuss your dashboard compliance project and how Deloitte Legal’s Pensions and Data Privacy and Cybersecurity teams can help. 

Deloitte also operates a specialist cyber risk practice which helps clients to implement and operate cyber solutions and services to anticipate and prepare for the cyber risks of the future.

Content from the Deloitte Legal blog can now be sent direct to your inbox. Choose the topic and frequency by subscribing here.