Your employee privacy notice is probably out of date – and 2026 will expose it

May 19, 2026

From 16 June 2026, employers will face new obligations under the Data (Use and Access) Act 2025, requiring them to operate a clear and accessible internal data protection complaints process – including for complaints arising from dissatisfaction with DSAR responses.

At first glance, the change may appear relatively modest. In practice, however, it is likely to have much wider implications for HR teams and employers managing employee data.

The new rules do more than introduce another procedural step. They raise an important question for organisations – Do employees genuinely understand how their personal data is being used – and do existing privacy notices still reflect reality?

DSARs are no longer the end of the story

Historically, many organisations have treated a DSAR response as the end of the process. If an employee remained dissatisfied, they were often directed to the ICO.

After 16 June 2026, that approach is unlikely to be enough.

Employers will be expected to demonstrate that they can:

  • receive and manage data protection complaints internally;
  • investigate concerns without undue delay;
  • communicate outcomes clearly and transparently; and
  • attempt to resolve issues before matters escalate externally.

That shift means complaints handling is no longer simply an operational issue – it is now part of the organisation’s broader transparency obligations.

Why this matters for HR teams

In practice, employee complaints about data protection rarely arise in isolation. They are often triggered by a broader concern that employees do not fully understand:

  • what information is being collected;
  • how it is being used;
  • who has access to it; or
  • how decisions affecting them are being made.

And that is where many employee privacy notices begin to fall short.

A large number were drafted years ago, when employee data processing was comparatively straightforward. Since then, HR functions have evolved rapidly, with organisations increasingly relying on:

  • digital HR and workforce analytics platforms;
  • employee monitoring and productivity tools;
  • AI-assisted recruitment, absence management and performance systems; and
  • automated or semi-automated decision-making supported by human oversight.

Yet privacy notices have not always evolved at the same pace.

Where employee-facing documentation no longer accurately reflects day-to-day data practices, complaints risk inevitably increases – particularly where employees are already engaged in sensitive workplace issues such as grievances, disciplinaries, performance management or exits.

Why 2026 is the ideal review point

The introduction of mandatory internal complaints procedures creates a natural opportunity for employers to review their employee data transparency framework more broadly.

For many organisations, this does not require a complete rewrite. A focused and proportionate refresh may be enough to ensure that privacy information:

  • accurately reflects current HR data practices;
  • clearly explains employee rights and complaint routes;
  • aligns with DSAR handling procedures;
  • properly addresses AI and automated processing; and
  • is written in language employees can realistically understand.

Importantly, this is not just about reducing regulatory risk.

Clearer employee privacy information can help HR teams manage expectations earlier, reduce misunderstandings, and strengthen trust around sensitive people processes.

Looking ahead

As employment data practices become more sophisticated, employee scrutiny is increasing alongside regulatory expectations.

The June 2026 changes are therefore about more than technical compliance. They are an opportunity for organisations to ensure their employee data practices are transparent, defensible and aligned with how modern HR functions actually operate.

If your employee privacy notice doesn’t reflect what you’re actually doing with data, it’s a problem waiting to surface. Contact us – Hannah King can help you quickly identify the gaps and put robust, practical updates in place.

Hannah King
Legal Director, Employment
<script>
document.addEventListener('DOMContentLoaded', function () {
  const deptEl = document.getElementById('acf-author-department');
  const department = deptEl?.dataset?.department;

  if (typeof gtag === 'function' && department) {
    gtag('set', { author_department: department });
  }
});


  window.dataLayer = window.dataLayer || [];
  const dept = document.getElementById("author-department")?.textContent?.trim();
  if (dept) {
    window.dataLayer.push({
      event: "authorDataReady",
      author_department: dept
    });
  }

</script>
View profileContact Us

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Latest Legal Insights