Summer GDPR Updates: What You May Have Missed

While summer might feel like a distant memory, the data protection changes that came with it are still worth your attention. The Data (Use and Access) Act 2024 (DUAA) quietly came into force in June, bringing a series of important GDPR updates for employers. It’s part of the government’s ongoing effort to simplify and modernise data protection law without replacing the existing UK GDPR framework.

For HR teams and business owners, this means there’s no need to overhaul your systems — but there are some key updates that will affect how you manage employee data, handle requests, and use technology at work. Some are already in place, while others will roll out over the coming months.

Data Subject Access Requests: A More Proportionate Approach

One of the most practical changes is around data subject access requests (SARs) — those often time-consuming requests from employees or ex-employees asking for all the personal data you hold about them.

The new legislation now clearly states that you only need to carry out a search that’s “reasonable and proportionate.” This means you no longer have to turn over every stone if it would be excessively time-consuming and unlikely to add much value.

However, this doesn’t mean you can ignore parts of a request or take shortcuts. For example, if an employee asks for all the emails their line manager sent about them over the past year, it’s reasonable to check the manager’s mailbox and HR files but not to trawl every department’s shared drive. The key for employers is to document your reasoning carefully, showing that you took a fair and sensible approach — something that’s especially important if your decision is ever questioned by the ICO or the employee themselves.

Preparing for New Data Protection Complaint Rules

Another area that’s changing is how businesses handle data protection complaints. When these new provisions take effect, you’ll need to have a clear and accessible process for anyone who wants to raise a concern about how their personal data is used.

This will include offering an electronic form, acknowledging complaints within 30 days, and providing an outcome without unnecessary delay. Although these rules aren’t yet live, SMEs would be wise to prepare now. Setting up a simple process — for example, a dedicated HR or compliance email address and a short online form — not only helps meet your legal obligations but also builds employee confidence that data is handled transparently and professionally.

Automated Decision-Making and the Use of AI

One of the most talked-about updates relates to automated decision-making, which is particularly relevant as more employers explore the use of AI and automation in recruitment and HR systems.

Currently, fully automated decisions (like algorithms used to shortlist job applications) are only allowed in limited situations, such as with explicit consent or when required by law. The DUAA expands this slightly, giving employers more flexibility, but it still requires meaningful human oversight.

That means you can use software to help sift CVs or flag potential performance concerns — but a manager must always make the final decision. Now is a good time to review your HR systems and identify where automation is used. Check that managers are trained to interpret automated outputs critically, and consider any potential bias that might creep in.

A New Lawful Basis: Recognised Legitimate Interests

Another forthcoming change is the introduction of a new “recognised legitimate interests” lawful basis for processing personal data. This will apply to specific activities such as safeguarding public security, without requiring the usual balancing test.

For most HR and employment-related processing, existing lawful bases — like performing a contract or complying with legal obligations — will continue to apply. Still, understanding this new option helps ensure your business stays ahead of the curve as data protection law continues to evolve.

Workplace Monitoring and Privacy Risks

Beyond the DUAA itself, there are other developments that employers need to keep on their radar. Workplace monitoring and surveillance — whether through CCTV, keystroke tracking, or biometric scanning — remains a growing area of concern.

While monitoring can have legitimate purposes, such as ensuring safety or protecting assets, it also carries significant risks if not handled carefully. It can easily undermine trust, affect morale, and even lead to claims of indirect discrimination if used disproportionately.

Before introducing or changing any kind of monitoring, carry out a Privacy Impact Assessment to check that it’s fair, necessary, and proportionate. If the risks are higher, a full Data Protection Impact Assessment (DPIA) under UK GDPR will be needed. These assessments should also explore less intrusive options — for instance, setting clear performance objectives instead of tracking every click or login.

ICO Clarifies What Counts as an “Excessive” Request

The ICO has also offered greater clarity around when a subject access request can be considered excessive. While many employers feel overwhelmed when faced with broad or repeated SARs, the law is clear that a request isn’t automatically “excessive” just because it’s time-consuming or repetitive.

To justify refusing a request or charging a fee, you would need to show that it was made with abusive intent — for example, to disrupt your business — and that your response was proportionate and necessary.

In most cases, the safest and most compliant route will still be to respond to the request in full, while documenting your reasoning carefully.

Reviewing HR Data Retention Practices

Finally, the ICO’s updated guidance on employment record retention is a useful reminder to review how long you’re keeping different types of HR data.

The advice is to avoid one-size-fits-all policies. For example, payroll and tax records generally need to be kept for six years for HMRC purposes, while disciplinary records are usually only relevant for 12–24 months after expiry. Employers should ensure their retention schedules reflect these distinctions and that privacy notices are updated accordingly.

Remember, once a retention period has ended, employees have the right to request deletion unless there’s a lawful reason to retain the data longer.

Staying Compliant and Building Trust

The Data Use and Access Act 2024 and wider data protection changes in the UK show that GDPR compliance isn’t static — it’s evolving. For SMEs, this means taking the time to review policies, train staff, and keep clear records of your decisions.

By staying proactive rather than reactive, you’ll not only stay on the right side of the law but also strengthen trust with your employees — something every business can benefit from.

How HR:4UK Can Help

At HR:4UK, we understand that HR compliance for small businesses can feel like a moving target, especially when the rules shift quietly in the background.

We help employers translate complex GDPR requirements into practical, everyday processes — from handling SARs and managing data complaints to setting up compliant monitoring practices and retention schedules. Whether you need a GDPR health check or ongoing HR support, our team is here to help you protect your business and your people.