Handling Subject Access Requests with Confidence Under New Data Act

The UK’s upcoming Employment Rights Act change—cutting the unfair‑dismissal qualifying period from two years to six months—will likely trigger a wave of pre‑litigation data subject access requests. Historically, DSARs have morphed from a transparency right into a tactical weapon, forcing HR departments into exhaustive data hunts and exposing firms to costly disclosures. This surge coincides with heightened scrutiny from the Information Commissioner’s Office, prompting the need for clearer, more balanced legislation.

Enter the Data (Use and Access) Act 2025. The new law reframes DSAR obligations around reasonableness, allowing organisations to limit searches to what is proportionate and defensible. It explicitly sanctions redaction, summarisation, and anonymisation to protect third‑party confidentiality, while reinforcing legal professional privilege as an absolute exemption—provided the holder notifies the requester of the withholding. Moreover, the Act preserves the Article 12(5) safeguard, enabling firms to refuse or levy fees for manifestly unfounded or excessive requests, and introduces a “stop‑the‑clock” provision for legitimate clarification needs. These measures collectively shift DSAR handling from a reactive scramble to a strategic, risk‑aware process.

For employers, the practical takeaway is to act now. Implement structured record‑keeping systems that limit unnecessary email trails, update privacy notices to reflect the new procedural options, and train managers on controlled documentation practices. Draft clear internal policies outlining proportional search criteria, redaction protocols, and escalation paths for privilege claims. By embedding these controls before the July 2026 cut‑off for new hires, organisations can mitigate litigation risk, contain costs, and maintain confidence in their data governance framework.