Data protection update
Changes to employers' data-related procedures
The Data (Use and Access) Act 2025 (the Act) became law on 19 June 2025. The Act makes amendments to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations.
The Act makes some notable changes for employers to be aware of, as follows:
Subject access requests
The UK GDPR grants individuals the right to access their personal data held by an organisation.
Prior to the Act, there was no limit on the extent of the search required by an employer and employers had a one month timeframe in which to comply with an individual’s request.
The Act now permits employers to undertake a “reasonable and proportionate” search. In addition, where the request from an individual is complex or there have been multiple requests from an individual, employers are now permitted to “stop the clock” and request clarification of an individual’s request. This allows them to extend the timeframe to respond from one month to two months.
In reality, these changes are in accordance with existing practices that employers follow in line with guidance from the Information Commissioner’s Office (ICO), but the Act codifying the ICO’s guidance is a welcome clarification for employers.
Complaints procedure
The way in which individuals can make a complaint in respect of their data handling has changed.
Previously, an individual was able to complain directly to the ICO. However, the process has been modified by the Act. Now, individuals must first raise their complaint with their employer before being able to raise a complaint with the ICO.
In practice, therefore, the Act requires employers to implement a complaints handling procedure. As part of this procedure, the Act requires that employers acknowledge receipt of the complaint within a period of 30 days; and then “without undue delay” take appropriate steps to investigate the subject matter of the complaint and then inform the complainant of the outcome of the complaint.
Automated decision-making
Prior to the Act entering into force, the UK GDPR set very stringent restrictions on automated decision making (ADM). ADM is the process of making decisions that have a legal or similar significant effect on individuals but with no meaningful human involvement in the decision making process. An example of an ADM is an aptitude test used for recruitment which determines the success of applicants using pre-programmed algorithms and criteria.
Article 21 of the UK GDPR previously provided that no such ADM was permitted unless the process could meet one of three exceptions under Article 22:
- the decision is necessary for the performance of a contract with the individual;
- the decision is authorised by law (and it is reasonable to use ADM in such circumstances); or
- the individual has given explicit consent.
The Act changes the approach to ADM quite significantly. Instead of a general prohibition with limited exceptions, it now allows employers to use ADM more widely subject to ensuring safeguards are implemented and followed. Broadly, these safeguards include individuals being informed that ADM is being used, the right to obtain human intervention/review if so requested and the ability to contest significant decisions.
It should be noted that the use of special category data (e.g. religious beliefs, political opinions or health data) in ADM will remain restricted.
Key Takeaways for Employers
Subject access requests
For complex requests or multiple requests, an employer is permitted to extend the timeframe to respond from one month to two months.
The extent of the search required is simply a "reasonable and proportionate" one.
Complaints procedure
A new complaints procedure will need to be implemented for handling complaints from data subjects.
Use of automated decision-making (ADM)
There is more scope for an employer to use ADM in their decision-making processes (e.g. recruitment practices).