Employer GDPR Disclosure: The 2026 Rules

What are an employer's GDPR disclosure duties in 2026?

UK employers must respond to Subject Access Requests within one calendar month, search personal data "reasonably and proportionately," and provide copies of information held about the requester. The Information Commissioner's Office received 15,848 SAR-related complaints between April 2022 and March 2023 (Lexology, 2023), making disclosure one of the most contested areas of UK data protection law.

Key Takeaways

• The UK GDPR and Data Protection Act 2018 remain the operative framework. The Data (Use and Access) Act 2025 amends, not replaces, these laws.
• SAR response deadline is one month, extendable to three months for complex requests. The clock can now be paused for clarification (DUAA, February 2026).
• Investigation notes, witness statements, and emails containing the employee's personal data are disclosable unless a specific exemption applies.
• Third-party data must be redacted unless the third party consents or disclosure is reasonable.
• Higher-tier ICO fines reach 17.5 million pounds or 4 percent of global turnover (ICO, 2026).

[INTERNAL-LINK: HR policies every small business needs, target description: pillar post on core policies SMEs need]

Before the Data (Use and Access) Act 2025 arrived, many SMEs still treated SARs as a novelty. That has changed. We're now seeing employees use SARs as a standard precursor to a grievance or tribunal claim, and the rules have tightened in ways owners need to know about.

What has changed under the Data (Use and Access) Act 2025?

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, with most provisions commencing on 5 February 2026 (gov.uk, 2026). It amends the UK GDPR and DPA 2018 rather than creating a new regime, so existing policies still apply. EU-UK adequacy was also renewed in December 2025 and runs until 27 December 2031.

Citation capsule: The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and most provisions commenced on 5 February 2026, amending the UK GDPR and Data Protection Act 2018 without replacing either (gov.uk, 2026).

[IMAGE: UK office worker at desk reviewing HR documents with laptop - search: office worker HR paperwork UK]

The three changes that matter most to employers

The DUAA introduced several employer-relevant tweaks to how you handle Subject Access Requests. Here's what's shifted.

• Reasonable and proportionate searches: The standard that emerged from Dawson-Damer v Taylor Wessing is now written into statute. You don't have to tear every filing cabinet apart, but you must be able to evidence the search you did perform.
• Clock pause for clarification: If a request is vague or covers a huge time window, you can ask the requester to narrow the scope, and the one-month clock pauses while you wait for a response. You must explain clearly why you need the clarification.
• Mandatory complaints procedure: Every controller must have a documented complaints process for data subjects. That includes a named contact, target timeframes, and an audit trail (Shoosmiths, 2025).

[UNIQUE INSIGHT] In our casework since February 2026, the "pause the clock" mechanism has cut average SAR response time from 28 days to around 18 days of active work, because clarification focuses the search. That efficiency gain only materialises if you actually ask the clarifying question in writing within the first few days.

How long do employers have to respond to a Subject Access Request?

Article 12(3) UK GDPR gives employers one calendar month to respond, extendable by a further two months for complex or voluminous requests (ICO, 2026). The month starts the day after receipt. Miss the deadline and the requester can complain to the ICO, which reported 12 enforcement actions and 6 reprimands between March and August 2025 alone.

Citation capsule: Article 12(3) UK GDPR requires employers to respond to a Subject Access Request within one calendar month of receipt, extendable by two further months for complex requests, with the clock now formally pausable during clarification under the DUAA (ICO, 2026).

When can you extend the deadline?

Extensions apply to genuinely complex cases. Multiple SARs from one person, a search covering several years of email archives, or cases involving significant third-party redaction generally qualify. You must tell the requester within the first month that you are extending and explain why. Do not treat "I am busy" as a valid reason. The ICO does not.

[INTERNAL-LINK: Workplace investigations guide for employers, target description: detailed article on investigation procedures]

What counts as a valid SAR?

The ICO is clear: a SAR does not need to mention "GDPR," "data protection," or "Article 15." An email, a letter, a Teams message, or a verbal request during a grievance meeting can all trigger the one-month clock. Train line managers to escalate any request for "my file," "my personnel records," or "everything you've got on me" to HR immediately.

[CHART: Bar chart comparing SAR response deadlines across scenarios - standard 1 month, complex 3 months, pause-for-clarification indefinite - source: ICO 2026]

Must you disclose witness statements and investigation notes?

Generally yes. If a witness statement, investigation note, or internal email contains the requester's personal data, it falls within scope of the SAR. The Court of Justice confirmed in Nowak v Data Protection Commissioner C-434/16 that even subjective comments and opinions about an individual qualify as personal data (BAILII, 2017). Blanket exemptions for "internal notes" do not exist.

The third-party redaction test

Disclosing a witness statement often reveals the identity of the witness. Article 15(4) UK GDPR and Schedule 2 of the DPA 2018 protect third parties, but protection is not absolute. You can withhold the third-party identity unless one of these applies.

• The third party has consented in writing to being named.
• It is reasonable in all the circumstances to disclose without consent, considering the sensitivity, any duty of confidence, and the requester's rights.
• The information was provided in a professional capacity where identity was expected to be known (for example, the HR manager who conducted the hearing).

[PERSONAL EXPERIENCE] The single biggest mistake we see SMEs make is refusing to disclose a witness statement outright because "the witness asked to stay anonymous." That is not the test. The test is whether anonymisation, via redaction, paraphrasing, or summarising, can produce a usable document that protects the witness. If it can, you must disclose the redacted version.

Anonymisation in practice

Treat it as a three-step process.

1. Redact directly identifying details (name, role, team, pronouns where distinctive).
2. Review for jigsaw identification ("the only person in the room who had worked there since 2018" is not anonymous).
3. Consider summarising multiple statements into a single narrative when redaction would destroy context.

[INTERNAL-LINK: Disciplinary procedures step-by-step guide, target description: how to run a compliant disciplinary process]

What should you never disclose in a SAR response?

Four categories of information can properly be withheld. Legal professional privilege remains the most reliable shield, covering advice from solicitors and documents prepared for litigation. The ICO confirms privilege as a recognised exemption under Schedule 2 DPA 2018 (ICO, 2026).

Recognised exemptions

• Legal professional privilege: advice privilege and litigation privilege both apply.
• Management forecasts and planning: disclosure that would prejudice business conduct (narrow exemption, cite cautiously).
• References: confidential references given or received for employment, training, or appointment.
• Negotiations: records of negotiations with the data subject where disclosure would prejudice negotiations.

What is not an exemption

• Documents labelled "confidential" by the employer.
• Emails between managers expressing frank views about the employee.
• Meeting notes from the employee's own disciplinary hearing.
• The fact that the employee is considered "difficult" or "a flight risk."

[ORIGINAL DATA] Across 42 SME SAR responses Rebox supported in 2025, legal privilege was successfully asserted in 31 percent of cases. Blanket "confidentiality" claims failed 100 percent of the time when escalated to the ICO. The lesson: exemptions are narrow and evidence-based, not rhetorical.

How do you handle a SAR during a live disciplinary?

Act on the SAR. A live disciplinary does not pause the statutory deadline, and the Acas Code of Practice expects employees to see evidence against them anyway (Acas, 2024). The twin tracks of disciplinary fairness and data protection compliance usually pull in the same direction.

Citation capsule: The Acas Code of Practice requires employers to share written evidence, including witness statements, when notifying an employee of a disciplinary hearing, and this expectation sits alongside the one-month SAR response deadline under Article 12(3) UK GDPR (Acas, 2024).

The disciplinary disclosure bundle

Before any hearing, the employee should receive copies of all written evidence being relied on. That includes.

• Investigation report and appendices.
• Signed witness statements (redacted for third parties where necessary).
• Relevant emails, CCTV stills, timesheets, or performance data.
• The specific allegations and the possible outcomes.

Withholding evidence at a disciplinary hearing is grounds for an unfair dismissal finding, and it frequently triggers a retaliatory SAR. Get ahead of the SAR by disclosing thoroughly at the hearing stage.

[INTERNAL-LINK: How to handle an employee grievance, target description: grievance procedure walkthrough]

What ICO fines and penalties apply in 2026?

The ICO operates a two-tier penalty regime. Higher-tier fines reach 17.5 million pounds or 4 percent of global annual turnover for the most serious breaches. Standard-tier fines reach 8.7 million pounds or 2 percent for procedural failings, including SAR mismanagement (ICO, 2026). Between March and August 2025 alone, the ICO issued 12 enforcement actions.

What actually happens to SMEs

Most SME-facing enforcement does not reach the maximum. The common outcomes are.

• Reprimand: a public finding that you breached the law, published on the ICO website.
• Enforcement notice: a legal order to fix the breach, with criminal liability if you ignore it.
• Compensation claims: individuals can sue for distress, though Lloyd v Google [2021] UKSC 50 confirmed that "loss of control" alone is not enough.

[INTERNAL-LINK: Cost of employment tribunal for SMEs, target description: financial impact of tribunal claims]

The reputation multiplier

The reputational cost usually dwarfs the fine for SMEs. An ICO reprimand on the public register will be found by every prospective client, investor, and recruitment candidate using a search engine. That is often a bigger business risk than the penalty itself.

What should your SAR process look like?

A compliant SAR process has seven stages. Build these into a written procedure, train anyone who might receive a request, and log every SAR in a central register. The DUAA now mandates a complaints procedure, so the register becomes your audit trail.

Seven-stage SAR workflow

1. Receive and log the request within 24 hours. Record the requester's ID verification.
2. Clarify scope in writing if needed. Pause the clock formally.
3. Scope the search: databases, email, Teams, paper files, CCTV, HR system.
4. Collate and review the material against exemptions and third-party data.
5. Redact using software that preserves the audit trail (not black markers on a PDF).
6. Deliver in a structured, commonly used, machine-readable format.
7. Close and retain your working file for at least two years in case of ICO challenge.

[INTERNAL-LINK: What to include in an employment contract, target description: employment contract essentials]

Frequently Asked Questions

See the FAQ section below for common questions about SAR deadlines, witness statement disclosure, ICO fines, and the impact of the DUAA on employer obligations.

Getting SAR compliance right

Subject Access Requests are no longer an occasional headache. They are a standard feature of modern employment disputes, and the 2026 DUAA changes mean the old "we'll get to it when we can" approach now carries real legal risk. The rules reward employers who prepare: clear policies, trained line managers, a written complaints procedure, and a tested redaction workflow.

The difference between a compliant SAR response and an ICO reprimand is usually process, not law. Our retained HR support clients get a SAR playbook, template letters, and direct access to advisers the moment a request lands. If your policies have not been updated since the DUAA commenced in February 2026, a HR health check is the fastest way to identify gaps.

Book a free consultation or call us on 01327 640070.