GDPR, Data Protection and Workplace Compliance for UK Office Businesses in 2026

UK GDPR and the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 received Royal Assent and introduces changes to the UK's data protection framework that all businesses processing personal data must understand. While the core principles of UK GDPR remain unchanged, the Act introduces several significant updates:

• Recognised Legitimate Interest Activities — a new category of processing activities that are automatically considered to meet the legitimate interests test, reducing the need for individual balancing assessments in certain circumstances
• Senior Responsible Individual — replaces the Data Protection Officer requirement for many organisations, with a broader scope of accountability for data protection at senior level
• Digital Verification Services — new rules governing how businesses can verify identity digitally, relevant for any business conducting online onboarding
• Updated international transfer provisions — changes to how personal data can be transferred to countries outside the UK

Any data protection policy written before the Data (Use and Access) Act 2025 should be reviewed and updated to reflect these changes.

ICO Enforcement in 2026 — What Triggers Investigation

ICO enforcement activity has increased significantly. In 2025/26, the ICO issued fines to businesses across a range of sectors including financial services, healthcare, retail and professional services. The most common triggers for ICO investigation are:

• Data breaches — particularly where notification obligations under Article 33 UK GDPR were not met within 72 hours
• Complaints from individuals exercising their rights — Subject Access Requests not responded to within one month, erasure requests ignored
• Unsolicited marketing communications — particularly email and SMS marketing without valid consent
• Third party processor failures — where a supplier or processor has a breach but the data controller (your business) had not conducted adequate due diligence

For most office businesses, the most practical risk is an inadequate response to a Subject Access Request or a failure to notify the ICO of a data breach. Both require documented procedures to handle correctly under time pressure.

Day One Employment Rights — What Changed in 2026

The Employment Rights Act 2025 introduced several significant changes to employment law that came into force in 2026. Office businesses with any employees must update their HR policies to reflect:

Statutory Sick Pay from Day One

The three-day waiting period for Statutory Sick Pay (SSP) has been removed. Employees are now entitled to SSP from their first day of absence. Any sickness absence policy that references the old three-day waiting period is now non-compliant and should be updated immediately.

Unfair Dismissal Rights from Day One

The two-year qualifying period for unfair dismissal protection has been removed. All employees now have unfair dismissal rights from their first day of employment. This has significant implications for disciplinary procedures — processes that were previously used during probationary periods must now meet the same standards as those for established employees.

Flexible Working by Default

Flexible working is now a Day One right, and employers must respond to requests within two months. Refusals must be based on one of the statutory grounds and be reasonable. A remote working or flexible working policy that does not reflect these changes is now out of date.

Mental Health Risk Assessments — HSE's 2026 Requirements

The HSE has formally integrated psychosocial risks — including work-related stress, burnout and poor mental health — into its inspection framework for all employers, including office-based businesses. Where previously H&S policy focused on physical hazards, inspectors now expect to see evidence that employers have assessed psychosocial risks and have documented controls in place.

The HSE's Management Standards framework identifies six areas of work design that can cause stress: demands, control, support, relationships, role and change. An updated health and safety policy for office businesses should explicitly address each of these areas.

The Essential Policies for UK Office Businesses

Office and corporate businesses should have current, documented policies covering:

• Data Protection and UK GDPR Policy — updated for the Data (Use and Access) Act 2025
• IT Acceptable Use Policy — covering personal devices, cloud storage, AI tools and remote access
• Acceptable Use of AI Tools Policy — new for 2026, covering ChatGPT, Copilot and other AI systems used by employees
• Remote Working Policy — updated to reflect Day One flexible working rights
• Sickness Absence Policy — updated to remove three-day SSP waiting period
• Disciplinary and Grievance Procedure — updated for Day One unfair dismissal rights
• Anti-Harassment and Bullying Policy — the Worker Protection Act 2023 requires active steps to prevent harassment
• Health and Safety Policy — updated to include psychosocial risk assessment
• Information Security Policy — covering data classification, breach response and third party access
• Document Retention Policy — specifying how long different categories of data are held and how they are destroyed

AI Tools — A New Compliance Gap for 2026

The widespread adoption of AI tools in office environments has created a compliance gap that most businesses have not yet addressed. Employees using ChatGPT, Microsoft Copilot, Google Gemini and similar tools may inadvertently input personal data or confidential business information into systems whose data retention and training practices are not controlled by the employer. An Acceptable Use of AI Tools policy is now a practical necessity for any office business — not a future consideration.