By Paolo Sbuttoni, Rachel Griffith, and Céline Mather-Franks
Pension schemes and providers are entering a critical phase as the pensions dashboard deadline approaches. With vast amounts of sensitive data at stake, ensuring a secure and compliant connection is essential. In this article, Paolo Sbuttoni, Rachel Griffith and Céline Mather-Franks outline the key steps organisations must take to navigate the dashboard ecosystem successfully.
With the 31 October 2026 deadline for connecting to the new pensions dashboard encroaching, now is the time for in scope occupational pensions schemes and providers of personal and stakeholder schemes to kickstart their transition to the dashboard ecosystem.
As pension providers hold vast amounts of personal data and assets, transitioning to the dashboard carries risks including non-compliant data transfers and increased vulnerability to pensions scams. How do you ensure you’re not only connecting, but connecting in the right way and in full compliance with the requirements? The below sets out a critical checklist for achieving a seamless and cyber-secure transition.
Data hygiene
It is essential to review the data you currently hold on your members to make sure it is fit for purpose, that it is being held by you in accordance with the necessary consents and your obligations under the UK GDPR, and meets the Pensions Dashboard Standards. The dashboard is not intended to hold any additional information about members – rather, it is designed to allow members to view their information in one place. This should be kept in mind when assessing what data you are requesting from your members. Following these steps will be key to ensuring proper data hygiene:
- Minimise the data you hold as a pension provider to reduce the potential risks and consequences of any potential cyber-attack or data breach
- Review your current data protection policies to ensure you are transparent about how you are processing personal data – you can enhance transparency by educating staff, updating your internal policies and informing members as to how their data will be processed as part of the dashboard and the associated risks
- Conduct a Data Protection Impact Assessment (DPIA) to identify and mitigate risks. The Pensions Dashboard Programme (PDP) will be publishing a DPIA in due course which will help providers carry out this exercise
Transferring data to the dashboard must be done so securely and in compliance with current data protection laws, so you should also ensure you have effective systems in place. If you are planning to connect to the dashboard by a third-party Integrated Service Provider (ISP), you’ll need to ensure your agreement includes Article 28 data processing obligations.
Assess your security
Pension providers connecting to the dashboard are responsible for protecting personal data with adequate security measures. Ensure you and your ISP (if applicable) comply with the security standards set out in the Pensions Dashboard Standards ‘code of connection’. The security standards are designed to ensure the appropriate level of security in accordance with National Cyber Security Centre standards and best practice,detail the technical authentication requirements for communication between parties within the dashboard ecosystem, as well as set the standard for encryption requirements for all data in transit across the ecosystem and the requirements for security-testing interfaces to the ecosystem.
If you’re connecting to the dashboard via an ISP, make sure to ask robust questions about the technical and organisational measures the ISP has in place to comply with their data protection obligations and ensure information security. Consider whether the liability and/or indemnities in your agreement with the ISP to protect you in the event of a breach.
Minimise your contractual risk
With most providers and schemes connecting to the dashboard via ISPs, you should carefully review the terms of these providers as part of the onboarding process. Ensure the agreement imposes express obligations on the ISP to comply with the pensions dashboard regulatory requirements, both in their current state and as amended from time to time. Consider the warranties and undertakings provided by the ISP in respect of their services and software and whether they’re robust enough. At a minimum, they should undertake to implement the Pensions Dashboard Standards ‘code of connection’ and facilitate your compliance with the standards.
It’s not uncommon for tech providers to indemnify their customers against third-party claims of intellectual property infringement. Consider how far this indemnity can be extended to cover breaches of additional warranties (e.g. ensuring services and software will conform with the provider’s documentation and be free from vulnerabilities, viruses and other malicious code). The agreement with your ISP is also the place to obtain express assurances that your data will only be used for the narrow purpose of the pensions dashboard connection, service development/improvement and nothing else.
Get up to code
To connect to the pensions dashboard and remain connected, pension providers must meet the requirements set out in the Pensions Dashboard Standards ‘code of connection’ issued by the Money and Pensions Service (MaPS). The code ensures that the systems and services of providers are managed and controlled to appropriate levels by setting connection, security, technical, service and operational standards. Even if you’re connecting to the dashboard via a third-party, ensure you understand the code of connection standards. Whilst your third-party provider will be responsible for much of the implementation of the standards, you are still responsible for complying with them.
If you are connecting via an ISP, carefully review their service level agreement against the service response times, availability requirements and service restoration requirements under the code of connection service standards. Will your provider target an availability service level of 99.5%? Will they provide MaPS with 5 days’ notice of any scheduled unavailability? If not, they’ll need to in order for you to comply with the code.
The transition to the pensions dashboard presents an opportunity for individuals to enjoy enhanced visibility over their pensions and better plan for their future. It also represents a prime opportunity for pensions providers to review and enhance their data protection compliance and cyber-security.
About the Authors
Paolo Sbuttoni, Rachel Griffith, and Céline Mather-Franks are specialist data and tech lawyers working across Foot Anstey’s Commercial, Tech & Data and Pensions & Employment teams. The trio advise on digital transformation, data protection, cybersecurity, and occupational and personal pension arrangements, with Paolo having particular expertise in technology procurement and the launching of virtual financial services
#Pensions #Dashboard #Adjusting #Ecosystem