Skip to main content

Privacy by Design & Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is not optional for an IORP II compliance platform. Under GDPR Article 35, a DPIA is mandatory where processing is likely to result in a high risk to the rights and freedoms of natural persons. PensionPortal.ai processing meets multiple EDPB-recognised triggers. This page explains why a DPIA is required, provides a 7-step DPIA process tailored to the IORP II context, and documents how PensionPortal.ai’s architecture addresses the risks identified.
Mandatory prior consultation: If, after completing the DPIA, residual risks remain high and cannot be mitigated to an acceptable level, trustees must consult the Data Protection Commission (DPC) before commencing processing — Article 36 GDPR. Failure to conduct a required DPIA, or to consult the DPC where required, is a direct infringement of GDPR and may result in administrative fines of up to €10 million or 2% of global annual turnover.

Why a DPIA Is Required for IORP II Applications

The EDPB’s Guidelines on Data Protection Impact Assessment (WP248) identify criteria that, when two or more apply, strongly indicate a DPIA is required. An IORP II compliance platform triggers all of the following:
EDPB CriterionHow It Applies
Large-scale processingProcesses member personal data across entire scheme membership — potentially thousands of individuals per scheme, dozens of schemes per deployment
Data concerning vulnerable individualsMembers approaching retirement, individuals with ill-health retirements; data directly affecting financial security
Decisions with significant effectsIncorrect benefit calculations or data errors directly affect pension entitlements and retirement income
Complex data sharingMultiple controllers and processors: trustees, employer, administrator, actuary, investment managers, Pensions Authority
Innovative technologyUse of AI/LLM-assisted tools for ORA drafting, compliance gap analysis, and governance workflows
Systematic monitoringOngoing tracking of member data quality, contribution records, and benefit entitlements across scheme lifecycle
A single trigger is sufficient grounds to consider a DPIA. PensionPortal.ai triggers six. A DPIA is required and should be completed before deploying the platform to process live member data.
Irish trustees should use one of the following templates as their starting point:

DPC Sample DPIA Template

The Irish Data Protection Commission’s own template — the most appropriate baseline for Irish controllers. Available on the DPC website. Aligns to DPC enforcement expectations.

ICO DPIA Template

The UK ICO’s DPIA template is practically detailed and widely used. While the UK has diverged from EU GDPR post-Brexit, the DPIA methodology remains highly applicable and the ICO guidance is richer than most EU equivalents.

EDPB Guidelines WP248

The European Data Protection Board’s authoritative guidelines on when and how to conduct a DPIA. Required reading for any DPO or legal adviser working in this area.

7-Step DPIA Process for IORP II

1
Step 1 — Confirm You Need a DPIA
2
For any deployment of PensionPortal.ai processing live member data, the answer is almost certainly yes. Document your reasoning using the EDPB WP248 criteria. Even if you are uncertain, conducting a DPIA when not strictly required carries no legal risk — failing to conduct one when required does.
3
Confirm in writing:
4
  • The name of the scheme(s) to be onboarded
  • The categories of data to be processed
  • Which EDPB triggers apply
  • The DPO’s view (mandatory consultation — see Step 3)
    • 5
    Step 2 — Describe the Processing
    6
    Provide a systematic description of all processing activities. For PensionPortal.ai deployments, this includes:
    7
    Processing Purposes (IORP II Context):
    8
  • IORP II governance and system of governance (S.I. 128/2021, Regulation 36)
  • Own Risk Assessment (ORA) preparation, documentation, and annual review
  • Investment governance and risk management
  • Pensions Authority reporting and supervisory engagement
  • Member benefit statement generation (S.I. 128/2021, Regulation 46)
  • Data strategy compliance and data quality management
    • 9
    Data Subjects:
    10
  • Active, deferred, and pensioner members of the scheme
  • Spouses, civil partners, and dependant beneficiaries
  • Named trustees and Key Function Holders (KFHs)
  • Employer representatives and HR administrators
  • Scheme administrators and professional advisers
    • 11
    Data Categories:
    12
  • Identification data: Full name, PPS number, date of birth, address, contact details
  • Employment and pension data: Employment start/end dates, pensionable service, scheme membership dates, role/grade
  • Financial and benefit data: Salary history, contribution records (employee and employer), benefit entitlements, transfer values, AVC records
  • Governance data: Trustee declarations, KFH fitness and probity records, meeting minutes
  • Special categories (where applicable): Health data for ill-health retirement or death-in-service claims (Article 9 basis required — see compliance overview)
    • 13
    Processing Operations:
    14
  • Data ingestion and validation from employer payroll systems
  • Member data quality dashboards and exception reporting
  • ORA workflow documentation and evidencing
  • Document management and version control
  • Regulatory reporting exports (Pensions Authority)
  • Benefit statement generation
  • Audit logging of all data access and modification events
  • Rights request handling (SAR, rectification, erasure)
    • 15
    Systems, Flows, and Hosting:
    16
  • Cloud-hosted application (see sub-processor register for infrastructure details)
  • API integrations with employer payroll and HR systems
  • Role-based access control separating trustee, employer, administrator, adviser, and member views
  • Data residency within EU/EEA (or SCCs in place for any international transfers)
    • 17
    Roles:
    18
  • Trustees: Data controllers — determine purposes and means of processing
  • PensionPortal.ai: Data processor — processes data on behalf of trustees under a Data Processing Agreement (DPA) per Article 28
  • Employer: Joint controller or separate controller depending on scheme structure — must be documented
  • Administrator, actuary, investment manager: Sub-processors of PensionPortal.ai or separate processors of the trustee — must be documented
    • 19
    Step 3 — Consultation
    20
    GDPR Article 35(2) requires the data controller to seek the advice of the DPO when carrying out a DPIA. For pension schemes, consultation should extend to:
    21
    Mandatory:
    22
  • DPO: Must be consulted and their advice documented. If the DPO disagrees with the DPIA conclusions, their dissenting view must be recorded.
    • 23
    Strongly Recommended:
    24
  • Trustees: As data controllers, trustees should review and formally approve the DPIA
  • Scheme Administrator: The administrator handles much of the day-to-day data processing — their input on operational risks is essential
  • Data subjects (via trustee representatives): Article 35(9) requires controllers to seek the views of data subjects where appropriate. For pension schemes, this may be achieved through member-nominated trustee representatives or member consultative bodies
    • 25
    Step 4 — Assess Necessity and Proportionality
    26
    For each processing activity identified in Step 2, document:
    27
    Legal Basis Mapping:
    28
    Processing ActivityLegal BasisSupporting LegislationPensions Authority reportingArticle 6(1)(c) — Legal obligationS.I. 128/2021Benefit calculation and statementsArticle 6(1)(c) — Legal obligationPensions Act 1990 (as amended); S.I. 128/2021 Reg. 46ORA documentationArticle 6(1)(c) — Legal obligationS.I. 128/2021 Reg. 44Revenue/PAYE reportingArticle 6(1)(c) — Legal obligationTaxes Consolidation Act 1997Data quality monitoringArticle 6(1)(f) — Legitimate interestsTrustee duty to membersScheme governance analyticsArticle 6(1)(f) — Legitimate interestsTrustee fiduciary duty
    29
    Data Minimisation Review: Document that each data field collected is necessary for the stated purpose. Remove or anonymise fields that are not actively required. PensionPortal.ai’s field-level access controls support this — configure role profiles to display only the fields each role requires.
    30
    Retention Mapping: Confirm that retention periods are configured (see Data Retention and Deletion). Document the legal basis for each retention period and the process for deletion or anonymisation at end of retention.
    31
    Transparency Measures: Trustees must provide members with a privacy notice at the point of collection (Article 13) or as soon as practicable after collection (Article 14). Document what privacy notice is in place, when it was last updated, and how it is communicated to members.
    32
    Step 5 — Identify IORP II-Specific Risks
    33

    Risk 1: Inaccurate member data affecting retirement benefits

    Description: Errors in salary, service, or contribution data result in incorrect benefit calculations, causing members to receive incorrect benefit statements or, in the worst case, incorrect retirement payments.Likelihood: Medium — payroll integrations are complex; manual data entry introduces errors.Severity: High — financial loss to members; reputational damage to trustees; regulatory action.GDPR Principle at Risk: Article 5(1)(d) — Accuracy.
    34

    Risk 2: Unauthorised access via inadequate role design

    Description: Overly broad role permissions allow users (e.g. employer HR staff) to access data beyond what is necessary for their function — exposing benefit entitlements, health data, or other sensitive fields to unauthorised parties.Likelihood: Medium — complex role hierarchies in multi-employer schemes.Severity: High — potential data breach; Article 5(1)(f) integrity and confidentiality breach.GDPR Principle at Risk: Article 5(1)(f) — Integrity and Confidentiality.
    36

    Risk 4: Insecure data transmission between platform and integrations

    Description: API integrations with employer payroll or HR systems transmit member data over insecure channels or without adequate authentication, exposing data in transit.Likelihood: Low with proper controls; Medium without documented integration standards.Severity: High — data breach; notification obligations under Article 33/34.GDPR Principle at Risk: Article 5(1)(f) — Integrity and Confidentiality.
    37

    Risk 5: Inadequate logging — members unable to understand decisions

    Description: Absence of audit logs means trustees cannot explain to members why their benefit was calculated as it was, or what data was used in a given decision. This obstructs members’ rights under Article 15 and Article 22.Likelihood: Low on PensionPortal.ai (immutable logs by design); High on less capable systems.Severity: Medium — undermines accountability; complicates SAR responses.GDPR Principle at Risk: Article 5(2) — Accountability.
    38

    Risk 6: International transfers via cloud infrastructure

    Description: Cloud infrastructure sub-processors may operate outside the EEA, resulting in personal data being transferred to third countries without an adequate transfer mechanism in place.Likelihood: Medium — most major cloud providers operate globally.Severity: High — unlawful international transfer; Chapter V GDPR breach.GDPR Principle at Risk: Articles 44–49 — International Transfers.
    39
    Step 6 — Define Mitigation Measures
    40
    For each risk identified in Step 5, document the controls in place:
    41
    RiskPrimary MitigationImplemented In Platform?Inaccurate member dataData quality validation engine; exception dashboards; field-level validation rules✅ YesUnauthorised accessFine-grained RBAC: trustee / employer / administrator / adviser / member role separation at database level✅ YesExcessive profilingAI outputs flagged as advisory; mandatory human review before any benefit decision; Article 22 documentation✅ YesInsecure transmissionTLS 1.2+ enforced for all API connections; API key authentication; integration documentation standards✅ YesInadequate loggingImmutable, append-only audit trail; structured log format; exportable for SAR responses✅ YesInternational transfersEU/EEA data residency default; SCCs in place where sub-processors operate outside EEA; transfer impact assessments documented✅ Yes
    42
    Additional Organisational Measures:
    43
  • Documented Data Processing Agreement (DPA) with each processor per Article 28
  • Annual staff training on data protection obligations for all users with access to member data
  • Incident response procedure documented and tested
  • Breach notification protocol: trustees notified within 24 hours of awareness; DPC notification within 72 hours where required under Article 33
    • 44
    Step 7 — Conclude, Sign Off, and Plan Reviews
    45
    Residual Risk Assessment: After applying all mitigation measures, document the residual risk level for each identified risk. If any residual risk remains high, the DPO must assess whether prior consultation with the DPC is required under Article 36.
    46
    Formal Sign-Off: The completed DPIA must be:
    47
  • Reviewed and formally approved by the trustee board (or trustee committee with delegated authority)
  • Reviewed by the DPO — with any dissenting views documented
  • Dated and version-controlled
    • 48
    Triggers for DPIA Review: A DPIA is a living document. It must be reviewed when:
    49
  • A major new feature or processing activity is introduced to the platform
  • New data categories are added (e.g. health data for ill-health retirement workflows)
  • A new sub-processor is onboarded
  • The scheme structure changes materially (e.g. merger, wind-up)
  • A data breach or near-miss occurs
  • Relevant legislation or regulatory guidance changes
  • As part of the scheme’s annual ORA cycle (recommended)
    • 50
    Integration with ORA: The DPIA risk register should feed into the scheme’s Operational Risk Assessment under S.I. 128/2021, Regulation 44. Data protection risks are operational risks. Trustees should not treat them as a separate workstream.

    Privacy by Design in PensionPortal.ai

    Beyond the DPIA process, PensionPortal.ai implements privacy by design as an operational principle:

    Default Data Minimisation

    Every user role is configured to display the minimum data necessary for that role’s function. Broadening access requires explicit trustee approval and is logged.

    Consent & Transparency Tooling

    Where processing relies on legitimate interests, the platform supports the drafting and publication of member-facing privacy notices and maintains a record of when notices were issued and updated.

    Rights Request Automation

    Subject Access Requests, rectification requests, and restriction requests are handled through structured workflows with automated response timeline tracking and audit trails.

    Breach Response Toolkit

    Built-in incident logging, severity classification, and notification checklist. Guides trustees through their Article 33 (DPC notification) and Article 34 (member notification) obligations step by step.

    Further Resources

    PensionPortal.ai can provide template DPIA documentation pre-populated with the standard processing activities described above. Contact your account manager or raise a support ticket to request the DPIA starter pack. Trustees remain responsible for completing, reviewing, and maintaining their own DPIA.