GDPR for HR in 2026: what’s changed (and why you should care)
TL;WR version: UK GDPR has been amended by the Data (Use and Access) Act 2025 (DUAA), with most HR-relevant changes in force from 5 February 2026. Key points for HR teams:
- Subject access requests now use a statutory “reasonable and proportionate search” standard, and the one-month response clock can be paused to ask for clarification.
- Employers have more flexibility to use automated decision-making (including AI in recruitment), except where a decision is based wholly or partly on special category data.
- From 19 June 2026, employees gain a new right to complain directly to their employer about data handling, separate from complaining to the ICO.
- A narrow new “recognised legitimate interests” basis removes the need for a full assessment in specific cases (e.g. safeguarding).
- Maximum fines remain high: up to £17.5 million or 4% of global turnover for the most serious breaches.
- Employers should update privacy notices, document their SAR process, audit AI/automated tools, and have an accessible complaints process in place.
Ah, GDPR. The regulation that turned “we’ll just email round a spreadsheet” into a potentially sackable offence, and gave every office a brief, feverish obsession with cookie banners back in 2018.
You’d be forgiven for thinking the story ended there. Well, it didn’t.
The Data (Use and Access) Act 2025 (DUAA) has quietly rewired several parts of UK GDPR that matter enormously to HR, such as: how you handle subject access requests, how freely you can use AI in recruitment, and a shiny new right for employees to complain directly to you when they think you’ve mishandled their data.
And this regulation isn’t just some toothless bit of bureaucratic box-ticking. It has genuine teeth, up to £17.5 million-worth of them, in fact! So, if your GDPR compliance policy is still frozen in its original 2018 form, this is your wake-up call.
First, the bit that hasn’t changed (breathe out)
Before we pile into the new stuff, let’s be clear about what’s unchanged, because it’s still most of it.
UK GDPR and the Data Protection Act 2018 remain the backbone of how you handle employee data: from CVs and right-to-work documents to sickness records, performance reviews and the odd awkward disciplinary note.
The DUAA doesn’t tear any of that up; rather, it subtly amends it. So, the fundamentals you’ve (hopefully) already built your processes around still hold:
- You need a lawful basis to process personal data, and “the employee signed a form” (AKA consent) is rarely it, given the somewhat one-sided power dynamic of an employment relationship.
- Special category data, think health information, sexual orientation, trade union membership, needs extra protection and a specific Article 9 condition before you go anywhere near it.
- Employees can still ask to see what you hold on them, have it corrected, and in some cases, have it deleted.
- Serious breaches can still land you a hefty fine from the Information Commissioner’s Office (ICO), and the reputational hit that inevitably follows close behind.
What’s actually changed under the DUAA
Most of the HR-relevant changes landed on 5 February 2026, and one more arrived in June. Here’s what’s genuinely worth your attention, in order of “sort this out now” urgency.
-
Subject access requests just got a bit more forgiving (sort of).
The DUAA has written the “reasonable and proportionate search” standard into law. Basically, you no longer need to turn every filing cabinet, inbox and forgotten Slack channel inside out for a single request.
You do, however, need to be able to show your working, so to speak, and prove what search you actually did. There’s also a genuinely useful new power to pause the one-month response clock while you ask someone to narrow down a vague or sprawling request… as long as you explain clearly why you’re asking.
-
More room to let the robots help with hiring decisions.
This is a big one if you’re using AI anywhere in recruitment or workforce analytics. The old restrictions on automated decision-making now only really bite when a significant decision is based wholly or partly on special category data.
Outside of that, you’ve got noticeably more freedom to use automated tools, provided people get clear notice, the right to challenge a decision, and the option to have an actual human take a look. It’s a genuine loosening of the rules, though it’s not a free pass to let an algorithm quietly discriminate against anyone.
You can rely on these tools during the hiring process, but you must be transparent about how the system evaluates candidates, and allow employees to challenge a hiring decision or request human review.
-
A new right to complain
Employees are now able to complain straight to you, as the data controller, if they think you’ve mishandled their personal data, on top of their existing right to go to the ICO. You’ll need an accessible way for people to actually make that complaint (an online form or a dedicated inbox both do the job), plus a proper documented process for acknowledging it (within 30 days), investigating it, and keeping them posted, all without dragging your feet.
Complaints don’t even need to mention the words “GDPR” or “data protection” to count. But, it’s worth making sure your managers know one when they hear one, rather than filing it under “just another a moan.”
-
A new “recognised legitimate interests” basis.
For a narrow, specific list of activities, think safeguarding or responding to certain public body requests, you may no longer need a full legitimate interests assessment. Most everyday HR processing won’t fall under this umbrella, so resist the urge to wave it at everything; check the ICO’s actual list before you get too excited – which you can do here
-
Cookie and marketing fines just got teeth.
This one’s slightly outside HR’s usual lane, but worth flagging to whoever runs your careers page analytics or recruitment marketing: PECR fines for cookie and marketing breaches can now hit the same eye-watering levels as UK GDPR fines, up to £17.5 million or 4% of global turnover. Not exactly small print anymore.
What HR teams must be doing about all this
Here’s where the rubber meets the road (or in reality, the spreadsheet meets the shredder).
Here are a handful of practical steps that will put you well ahead of most organisations still coasting on their 2018 paperwork:
- Give your privacy notices a proper read-through. Make sure they reflect the new complaints route and how you’re using any automated decision-making tools.
- Document your SAR process properly. Be ready to show what “reasonable and proportionate” looks like in your organisation, and build in the option to pause the clock for clarification where it genuinely applies.
- Audit any AI or automated tools used in recruitment and HR. Check that safeguards are actually in place: a clear notice, a route to challenge a decision, and access to a human reviewer, not just a “computer says no.”
- Get a complaints process in place. This needs to be genuinely accessible, not a single line buried on page 14 of your company policy handbook, and someone needs to actually own it.
- Brief your line managers. Since a complaint doesn’t need to be formally labelled as anything, managers are often the first (and sometimes only) people who hear about it. Make sure they know what one sounds like and where to send it.
How the right HR software takes some of the sting out of this
A lot of this ultimately comes down to visibility and paper trails (or, more accurately, not having to hunt through several years of paper trails and spreadsheets at 4:45pm on a Friday).
Integrated HR software systems (like Cezanne, for example) that keep employee records, consent, and document histories in one place makes it far easier to evidence a “reasonable and proportionate” SAR search, track who’s accessed what, and demonstrate the kind of accountability the ICO now expects as standard. It also makes an incoming complaint considerably less painful to handle, since you can pull together exactly what happened and when, rather than reconstructing it from three inboxes and someone’s memory.
It’s also fair to say we practise what we preach here. Every piece of data held in Cezanne HR is encrypted both at rest and in transit, and every login, attempted login, and change to personal data is logged and timestamped. So, there’s always a clear trail of who did what, and when. Your data stays put, too: it’s hosted with AWS in Ireland, and any support access from our side is limited to the UK or other EEA countries, so nothing wanders outside the region without your knowledge.
We back all of that up with regular penetration testing from an independent cybersecurity firm, resilient infrastructure spread across multiple data centres, and tested backup and recovery procedures, so if something ever does go wrong, “we’ll sort it eventually” isn’t the plan.
A few other things worth knowing, if you’re the sort of person who reads the compliance appendix (no judgement, someone has to):
- We’ve appointed a Data Protection Officer, registered with the ICO, as required under Article 37(1) of GDPR.
- Our Information Security Management System is certified against ISO/IEC 27001:2022 with BSI, the UK’s leading certification body.
- We maintain formal processing records under Article 30(2), even in situations where the law wouldn’t strictly require it of us.
- Every one of our sub-processor agreements confirms that customer data is never transferred or processed outside the UK or EEA.
- All our staff with access to customer data are trained in data security and bound by confidentiality agreements, and we have clear procedures for returning or erasing your data if you ever leave us.
None of this is about ticking boxes for the sake of it. It’s about being able to answer the question “can we actually trust this vendor with our people’s data?” with something more convincing than a shrug. Can your system do the same? Worth thinking about…
FAQs: GDPR for HR in 2026
Does the Data (Use and Access) Act 2025 replace UK GDPR?
No. It amends the UK GDPR and the Data Protection Act 2018 rather than tearing either up. The core framework HR teams already work to is still very much intact.
When did the DUAA come into force?
Most of the key provisions landed on 5 February 2026. The new right for individuals to complain directly to employers arrives a little later, on 19 June 2026.
Do we still need employee consent to process HR data?
Rarely, and probably not for the reason you’d hope. Given the power imbalance built into any employment relationship, consent generally isn’t considered a robust lawful basis. Most HR processing relies on other grounds instead, such as contractual necessity or legal obligation.
How long do we have to respond to a subject access request?
One calendar month from receipt, extendable by a further two months for genuinely complex requests. Under the DUAA, you can now pause that clock if you need to ask the requester to clarify what personal data they’re actually after.
Can we use AI tools in recruitment under the new rules?
The DUAA gives employers more breathing room to use automated decision-making, provided the decision isn’t based wholly or partly on special category data; using this data to make automated decisions often requires explicit consent from the data subject. Candidates and employees still need clear notice, the right to contest a decision, and access to a human reviewer ……so the robots aren’t quite unsupervised yet!
What actually counts as a data protection complaint under the new rules?
More than you might think! The ICO has confirmed that complaints don’t need to use the words “GDPR” or “data protection” to count, and can arrive through pretty much any channel, including in person or even on social media.
What happens if we don’t have a complaints process in place?
There’s no small business exemption here, so “we’re a bit too small for that” simply won’t fly. Not having an accessible, documented process could itself become a compliance and reputational headache, quite separate from how any individual complaint goes.
What are the maximum fines for a GDPR breach in 2026?
Higher-tier breaches, like unlawful processing of special category data, can attract fines of up to £17.5 million or 4% of global annual turnover, whichever is greater. Standard-tier breaches, including missing a SAR deadline, can still cost up to £8.7 million or 2% of turnover. Neither is what you’d call pocket change…
Do we need a Data Protection Officer?
Only if your organisation meets the specific criteria in Article 37 of UK GDPR (broadly, large-scale systematic monitoring or large-scale special category data processing). Every employer, regardless of size, still needs someone clearly accountable for data protection, DPO or not.
Where can we get authoritative guidance on all this?
The ICO’s website remains the definitive source for UK GDPR guidance, and it’s worth bookmarking given how much has shifted since the original 2018 scramble. You can reach it here.
This article reflects the UK data protection landscape as of July 2026. Data protection law loves to shift the goalposts just when you think you’ve pinned it down. So, always check the ICO’s website for the latest guidance, and take independent legal advice for anything specific to your organisation.
About the author
Katy Graham is the Compliance & Data Protection Lead at Cezanne HR, with over ten years of experience in data protection, privacy, compliance, and information security. Prior to joining Cezanne, Katy held senior compliance and data protection roles within hospitality and IT sectors, developing extensive expertise in GDPR compliance, information security management, risk management, and regulatory assurance.