Pensions dashboards compliance: the cyber risk perspective

The introduction of pensions dashboards represents a significant step forward in the digitalisation of pension schemes, aiming to provide individuals with a comprehensive view of their pension savings – in particular, potentially helping to address the current £31.1bn lost small pension pots. A recent article entitled “The year ahead: A look at what’s on the pensions agenda for 2025” published by Pensions Age Magazine stated that “[d]ashboards will dominate trustee agendas in the year ahead, with 2025 connection deadlines fast approaching". 

However, this advancement brings with it a range of data protection and cyber security risks that the pensions industry should be aware of – both from the perspective of protecting member interests, and ensuring that they comply with the relevant obligations. 

Key relevant legislation and guidance

Some of the key legal frameworks governing the data protection and cyber security aspects of pensions dashboards can be summarised as follows:

• General legal instruments: such as the General Data Protection Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, The Pension Regulator’s (TPR) Cyber Principles, and TPR’s General Code (in particular, the cyber controls module).
• Various Dashboards instruments and guidance: such as the Pensions Dashboards Regulations 2022 , TPR’s initial guidance, the Pensions Dashboards Programme’s (PDP) set of draft Standards and the Pensions Administration Standards Association’s (PASA) guidance. 

These regulations and guidance set out the requirements for the processing of personal data, including the need for transparency, data minimisation, and the implementation of appropriate security measures. However, there is likely to be further input from TPR and the PDP to come in due course.

The starting point for trustees under data protection legislation always comes back to the fact that ultimately the trustees remain data controllers and are therefore responsible for what their data processors do with members’ personal data.

Overview of the position – what is the cyber risk? 

At this early stage in the planned launch of pensions dashboards in the UK (beginning with the government-backed MoneyHelper dashboard), the intention is not for pension schemes to hold any additional information that they didn’t already, but rather to allow members to view certain information in one place for all of their pension schemes through a dashboard. However, even at this stage, the Pensions Age Magazine article mentioned above, warned “that the increased use of digital tools and customer data increased risk of cyber threats and scams”.

There are different ways in which a pension scheme can meet its dashboards connection and ongoing obligations and the likelihood is that this will be done either by the scheme’s existing administration (whether that be a third party administrator or an in-house administration team) or by a specific Integrated Service Provider (ISP). 

At this stage, we consider that the main cyber / data protection threats posed by pensions dashboards are:

1. Ensuring data transfers are effective, secure, and compliant: To the extent that data is transferred from schemes to meet the pensions dashboards requirements, schemes will need to have systems in place to ensure that data is transferred effectively, securely and compliantly. This may relate to the way in which a scheme connects to the dashboards ecosystem itself or the transfer of data to a scheme’s chosen ISP. Given the strict regulations around dashboards operators and the dashboards ecosystem, we expect the former risk to be less of a concern for trustees, albeit still a relevant consideration. Any transfer to an ISP, however, should be considered very carefully as this would be a significant new data processor arrangement and trustees should be asking robust questions about the ISP’s internal controls in relation to cyber risk and for clarity on data protection and cyber security provisions in their contract with the ISP before any data is transferred. 
2. Informing and educating members as to scams: Trustees know that they should be warning members of the risk of pensions scams. The move to pensions dashboards could present a fresh opportunity for scammers to target pension scheme members, which was recognised in the Pensions Age Magazine article referred to above, which states that “[s]cammers could make use of government initiatives such as pensions dashboards as an opportunity to trick consumers out of their pensions savings". For example, whilst bad actors will not be able to access the member’s pensions data other than to view it through the dashboard (if they were somehow able to get their hands on members’ personal details and login as that individual), they may be able to view information from which they could glean useful information about the member (in particular, whether they are a valuable target). 

Mitigating cyber risk relating to dashboards 

Understanding that there is a potential cyber / data security risk related to dashboards compliance is the first step; the next step is considering what to do about that risk so that it can be mitigated. 

Ways to mitigate the potential cyber risk in this area include: 

1. Updating the Scheme’s risk register: Having identified a potential cyber risk relating to dashboards, we recommend that this risk is reflected on the scheme’s risk register. 
2. Updating the Scheme’s privacy notice / fair processing notice: Privacy notices should be updated to reflect the potential sharing of member personal data with dashboard providers, and potentially also further sharing of information (if any) with your administrator/ISP to comply with the pensions dashboards requirements. This includes detailing what personal data is processed, the legal basis for processing, and the third parties with access to the data. 
3. Think about Data Protection Impact Assessments (DPIAs): The purpose of DPIAs is to identify and mitigate data protection risks. TPR’s “initial guidance” document on Pensions Dashboards emphasises that: 
   1. The programme will revolve around significant “matching” exercises – with the guidance stating that, “you will receive certain personal data from the digital architecture. You will need to use the data to search your records and determine if you have a pension for them. This process is called ‘matching’.” 
   2. And that “matching” exercises often require a DPIA – with the guidance stating that, “Matching, combining or comparing data from multiple sources requires a [DPIA]…, so you may need to produce one.. [or] update [your existing one]”.
4. Review your administration contract: We expect that most scheme administrators (if they haven’t already done so) will be seeking to update their administration contracts to reflect the work that they will be carrying out in relation to dashboards compliance. This is a good opportunity to update a scheme’s administration contract for this purpose, but trustees should consider whether the data protection / cyber security provisions in the contract should be updated at the same time as there is an overlap between the two aspects. Many schemes may not have considered the data protection provisions in their contract since GDPR came into force in 2018 and the pensions industry’s position has moved on significantly since then, especially in relation to cyber security.
5. Understand your ISP’s position: If your scheme is going to appoint an ISP to help you with dashboards compliance, you should be asking robust questions about the ISP’s internal controls in relation to cyber risk. You should also make sure that you have got contractual terms in place with the ISP before any data is transferred, which should include consideration of the data protection and cyber security provisions in their contract.
6. Update your scheme’s data and asset map: Pension schemes should have an up to date data and asset map as this helps trustees to understand their cyber risk in line with TPR’s expectations. Dashboards compliance may well lead to new data flows and a scheme’s data and asset map should therefore be updated to reflect this. 
7. Think about your scheme’s cyber resilience more generally: Managing cyber risk in relation to dashboards compliance is one aspect of wider cyber risk management. Having appropriate internal controls, including in relation to cyber risk, is an important aspect which will feed into a scheme’s Effective System of Governance (ESOG). For any scheme which has not already started to take steps to build its cyber resilience, pensions dashboards compliance could be a useful push to start those schemes on this journey. 

Key takeaways 

It is really important that trustees understand that there is a potential cyber / data security risk related to dashboards compliance and that trustees should take steps to mitigate and manage that risk. We’ve set out in this article a number of ways that trustees can start to do that. 

We also suggest that trustees keep an eye out for further guidance on Pensions Dashboards, and cyber/data protection in particular. For example, PDP are understood to be in the process of providing a general DPIA regarding Pensions Dashboards – which some schemes may deem sufficient for their purposes, or will at least make the preparation/updating of a DPIA an easier process. 

This article was written by Samantha Howell (Senior Associate), Andy Prater (Senior Associate) and Kelly Beattie (Senior Associate), all from Burges Salmon’s Pensions and Lifetime Savings team. You can find more information our cyber risk for pension schemes in Burges Salmon’s Cyber Security Compliance Trustee Checklist and you can learn about the team’s experience in advising pension schemes in relation to cyber security here. 

“Scammers could make use of government initiatives such as pensions dashboards as an opportunity to trick consumers out of their pensions savings"

https://www.pensionsage.com/pa/Pensions-in-2025-whats-on-the-agenda.php#:~:text=than%20state%20pension-,The%20year%20ahead%3A%20A%20look%20at%20what%27s,the%20pensions%20agenda%20for%202025&text=Industry%20experts%20are%20expecting%20a,to%20the%20advice%2Fguidance%20boundary.