Skip to main content

Compliance Architecture Overview

PensionPortal.ai is built from the ground up to meet the intersecting obligations of IORP II (transposed into Irish law via S.I. 128/2021 — the European Union (Occupational Pension Schemes) Regulations 2021) and the General Data Protection Regulation (GDPR, as retained in Irish law via the Data Protection Act 2018). For Irish pension trustees, these two regulatory frameworks are not separate compliance workstreams — they are deeply intertwined, and the platform treats them as such.
Regulatory foundation: S.I. 128/2021 transposes Directive (EU) 2016/2341 (IORP II) into Irish law. Trustees of occupational pension schemes with more than one member are subject to this framework. Compliance with IORP II does not substitute for GDPR compliance — both frameworks apply concurrently.

GDPR as a Core Design Principle

Many compliance tools treat data protection as a layer applied after core functionality is built. PensionPortal.ai reverses this. Privacy and data protection controls are foundational architectural decisions:
  • Data minimisation by default: The platform collects and displays only the member data fields required for the specific workflow being executed. An employer reviewing contribution data does not see benefit projections. An adviser sees only the scheme-level data relevant to their engagement.
  • Purpose limitation enforced at API layer: Each data access event is tagged with a processing purpose. Audit logs capture not just who accessed data, but why — aligned to GDPR Article 5(1)(b).
  • Role separation at schema level: Trustee, employer, administrator, adviser, and member roles are not just UI configurations. They map to distinct database access profiles, ensuring that over-permissioned access is structurally impossible rather than merely policy-prohibited.
  • Encryption by default: All member data is encrypted at rest and in transit. Encryption is not optional or a premium tier feature.
This approach reflects the requirements of GDPR Article 25 — Data Protection by Design and by Default — and the DPC’s guidance that controllers must implement appropriate technical and organisational measures at the time of designing processing systems.

The Intersection of IORP II and GDPR

IORP II imposes explicit data strategy requirements on pension trustees. Regulation 59 of S.I. 128/2021 requires trustees to implement a written data strategy covering:
  • The categories of data collected, processed, and retained by the scheme
  • Data quality and accuracy controls
  • Data governance policies, including access controls
  • The data-related aspects of the scheme’s risk management function
This is not merely an administrative requirement. The Pensions Authority expects trustees to demonstrate that data governance is embedded in their operational risk assessment (ORA) and system of governance. PensionPortal.ai directly supports the drafting, evidencing, and annual review of the data strategy through structured templates, audit trails, and exportable compliance artefacts. Where IORP II data strategy requirements and GDPR overlap:
IORP II Data Strategy RequirementCorresponding GDPR Obligation
Data quality and accuracy controlsArticle 5(1)(d) — Accuracy principle
Access controls and role governanceArticle 25 — Data protection by design
Documented data flows and integrationsArticle 30 — Records of Processing Activities
Retention and disposal policiesArticle 5(1)(e) — Storage limitation
Risk assessment of data processingArticle 35 — Data Protection Impact Assessment
Trustees who build a rigorous GDPR compliance programme around PensionPortal.ai will simultaneously satisfy the majority of IORP II data strategy requirements. The platform is designed to generate the evidence artefacts required by both frameworks from a single set of operational activities.

What “Compliance by Design” Means in Practice

Automated Retention Enforcement

Retention schedules are configured at scheme setup. The platform automatically archives or flags for deletion records that have reached their retention limit, applying legal holds where pension law mandates retention overrides GDPR deletion requests.

Data Subject Rights Workflows

Subject Access Request (SAR), rectification, restriction, and erasure requests are handled through structured workflows with full audit trails. Trustees can respond to Article 15 SARs within the 1-month statutory deadline with platform-generated data exports.

Immutable Audit Logging

Every data access, modification, and deletion event is logged to an append-only audit trail. Logs cannot be altered or deleted by any platform user, including administrators. This supports both GDPR accountability (Article 5(2)) and IORP II governance requirements.

Processor Transparency

The platform maintains a published sub-processor register. Trustees receive 30-day advance notice of any sub-processor changes, enabling them to fulfil their own Article 28 obligations to data subjects.
Trustees, as data controllers, must identify a valid legal basis under GDPR Article 6 for each processing activity. PensionPortal.ai’s documentation and onboarding process helps trustees record their legal basis mapping as part of their Record of Processing Activities (RoPA). The primary legal bases applicable to pension scheme data processing are: Article 6(1)(c) — Legal Obligation Processing that is necessary to comply with a legal obligation to which the controller is subject. This covers:
  • Reporting to the Pensions Authority under S.I. 128/2021
  • Revenue/PAYE reporting obligations under the Taxes Consolidation Act 1997
  • Actuarial valuations required under the Pensions Act 1990 (as amended)
  • Benefit statement obligations under IORP II Article 38 (transposed via S.I. 128/2021, Regulation 46)
Article 6(1)(f) — Legitimate Interests Processing necessary for the purposes of the legitimate interests pursued by the controller, where those interests are not overridden by member rights. This may apply to:
  • Proactive data quality monitoring to protect member benefit accuracy
  • Scheme analytics supporting governance and investment strategy
  • Communications supporting scheme administration
Where special categories of data are processed (e.g. health data in the context of ill-health retirement or death-in-service claims), a separate basis under GDPR Article 9 must be identified. Article 9(2)(b) — processing necessary for carrying out obligations in the field of employment and social security law — will typically apply, supported by the Data Protection Act 2018, Section 36. Trustees should document this in their RoPA and DPIA.

Ongoing Compliance Assurance

PensionPortal.ai does not treat compliance as a one-time setup exercise. The platform supports continuous compliance through:
  • Annual ORA integration: Data protection risks are included in the scheme’s Operational Risk Assessment cycle. The platform generates a compliance evidence pack that trustees can incorporate into their annual ORA documentation.
  • Regulatory change monitoring: The platform’s compliance documentation is updated when relevant regulations, DPC guidance, or Pensions Authority supervisory expectations change. Trustees are notified of changes affecting their compliance posture.
  • DPO support tools: Where trustees have appointed a Data Protection Officer (mandatory for schemes engaging in large-scale systematic processing of member data), the platform provides DPO-specific views of audit logs, rights requests, and processing activity records.
  • DPIA triggers: The platform flags when new features, data categories, or processing activities are introduced that may require a DPIA review, aligned to the EDPB’s criteria under Article 35.
Supervisory authority: The Data Protection Commission (DPC) is Ireland’s supervisory authority under GDPR. The Pensions Authority is the competent authority for IORP II supervision. Trustees should maintain relationships with both authorities and ensure their compliance documentation is accessible for inspection by either.

Summary

PensionPortal.ai’s compliance architecture is built on three principles:
  1. Legality: Every processing activity has a documented legal basis. Every feature is assessed against its GDPR and IORP II obligations before release.
  2. Accountability: Everything that happens to member data is logged, auditable, and exportable. Trustees can demonstrate compliance — not merely assert it.
  3. Proportionality: Data access is granted at the minimum level necessary. Role design enforces this structurally, not just through policy.
Pension trustees using PensionPortal.ai are not just buying software — they are adopting a compliance framework built specifically for the Irish IORP II context.