GDPR Subject Access Requests in UK HR Software 2026

UK employers receive more Subject Access Requests (SARs) than any other type of GDPR rights request. The ICO’s most-cited employer guidance covers SARs, and the volume keeps growing as employees and former employees become more aware of their right of access. From 5 February 2026, the rules tightened: section 76 of the Data (Use and Access) Act 2025 introduced a stop-the-clock mechanism around identity verification.

HR software handles most of the employee data that ends up in a SAR response. The platforms that make SAR fulfillment easy save days of HR work per request. The ones that make it hard turn each SAR into a multi-system data hunt.

What counts as a SAR (and the 2026 stop-the-clock change)

If your business hires UK employees and contractors and you don’t yet have a SAR-ready process, HiBob and Employment Hero are the two UK-relevant HR platforms with the strongest structured data-export workflows. Both make SAR fulfillment a 2-hour HR task rather than a 2-day one.

A Subject Access Request is any communication where a current or former employee (or any data subject) asks for a copy of personal data you hold about them. The request does not need to use the words “subject access request” or “Article 15.” It does not need to be in writing – verbal SARs are valid, including those made via social media, phone, or in conversation. The employee does not need to give a reason.

Identifying a SAR among ordinary employee communications is the first hurdle. A line manager who receives an email asking “can you send me my appraisal notes?” has received a valid SAR even if it doesn’t read like a legal document. The cost of misidentifying a SAR is starting the response clock late, which is one of the most common ICO complaint patterns.

The new stop-the-clock rule (in force since 5 February 2026)

Section 76 of the Data (Use and Access) Act 2025 amended the UK GDPR to permit pausing the 1-month deadline in two specific scenarios. The clock pauses while you are reasonably verifying the requester’s identity, and while you are reasonably asking for clarification about the scope of the request. The clock restarts once verification or clarification is received.

This is a meaningful change. Before February 2026, the clock started on receipt of the SAR and ran continuously. Identity verification ate into your response window. From 2026, the clock pauses for genuine verification steps, giving HR teams real space for due diligence on identity, particularly for ex-employees whose contact details may have changed.

What still applies:

1. You must respond without undue delay and within 1 month (post-pause) of receipt of the verified request.
2. You can extend the deadline by a further 2 months if the request is complex or you have received multiple requests from the same individual. You must inform the requester of the extension within the original 1-month window.
3. The pause must be reasonable. Asking for identity verification on a current employee already authenticated by their work email is not reasonable. Asking for identity verification on a SAR received from a personal email by an ex-employee 4 years after departure is reasonable.
4. Document the start and end of any pause. The ICO expects an audit trail.

The 5 SAR-readiness features that actually matter in HR software

“GDPR-compliant” is on every HR software marketing page. Useful SAR functionality is narrower. Five concrete capabilities make the difference between a 2-hour SAR response and a 2-day one:

Few HR platforms have all five built in as dedicated features. Most cover the first three (export, document storage, audit trail) and leave the last two (redaction, request log) to the HR team’s process discipline. That gap is where SAR fulfillment time blows out.

UK HR software compared on SAR readiness

The table below scores UK-relevant HR platforms against the five capabilities. Verified May 2026 from vendor documentation. Where a feature is partial or requires workflow setup, that is noted.

The takeaways:

• HiBob is currently the cleanest SAR experience among UK mid-market platforms. Granular audit logs, structured exports via API, and well-documented data export endpoints.
• BambooHR is strong on API but US-leaning in document storage conventions; UK teams find it easy enough but need to think about US default settings.
• UK-built SME platforms (BrightHR, Breathe HR, CharlieHR) cover the basics but force HR teams to build their own request log and redaction process. For SME volume this is usually manageable.
• No mainstream UK HR platform has built-in redaction tooling. Redaction remains a manual editorial task across the market.

The five SAR exemptions UK HR teams should know

The right of access is not absolute. UK GDPR provides exemptions that let employers withhold some or all of the requested data. The five most relevant in employment:

1. Legal professional privilege: communications between you and your lawyers covered by legal advice privilege or litigation privilege do not need to be disclosed.
2. Management planning: internal plans about reorganisation, redundancy, promotion ranking before they are communicated to the employee can be withheld where disclosure would prejudice the planning process.
3. Confidential references: employment references you have given or received for the employee are exempt. The exemption applies both to outgoing and incoming references.
4. Crime and taxation: data held for purposes of preventing or detecting crime, or assessing tax, may be withheld in narrow circumstances.
5. Manifestly unfounded or excessive: you may refuse a SAR (or charge a “reasonable fee”) if it is manifestly unfounded, repetitive, or excessive. The ICO interprets these terms narrowly.

Every exemption requires case-by-case justification and documentation. The ICO expects to see the reasoning, not just the outcome. “We applied the management planning exemption to redundancy planning documents dated X to Y for the following reason: [reason]” is a defensible audit trail. “We didn’t disclose those documents” is not.

Worked example: a departing employee files a SAR

Take a hypothetical UK SaaS company. An employee resigns after a difficult performance review process. Three weeks after their last day, they email HR from a personal address asking for “all the data you hold about me, including any HR notes and emails between managers about me.” This is a valid SAR.

Day 0 (Friday): the email arrives in the HR inbox. HR confirms receipt within one working day and starts an internal SAR log entry: requester name, date received, contact details, scope of request.

Day 1 (Monday): HR sends a brief identity verification email asking the requester to confirm the request from a verified address and provide a passport or driving licence photograph. This is reasonable because the request came from a personal address that wasn’t on file. The clock pauses under the February 2026 stop-the-clock rule.

Day 3 (Wednesday): requester provides identity. Clock restarts; the 1-month response deadline is now Day 33.

Day 4 onwards: HR collects data. Structured export from the HR system covering personal records, holiday, sickness, performance review. Document collection from HR file storage (contract, training certificates, written feedback). Email collection from the line manager’s mailbox using a search term and date range. Slack history covering the same period.

Day 15: HR completes redaction. Manager comments about other employees that mention the requester’s name are reviewed; third-party personal data is removed. A reference the requester received from another employer is withheld under the confidential reference exemption.

Day 18: HR sends the response with a covering letter explaining the scope of the disclosure, the exemptions applied, and how to ask for clarification. The SAR log is updated to “responded.”

Total HR time: approximately 4 hours over 14 working days. The cost is in collection, not response. A well-structured HR system reduces total time to under 2 hours; a poorly structured system pushes it past 8 hours.

The other GDPR rights HR software needs to handle

SARs are the most common right of access request, but UK GDPR includes other rights that HR software encounters less frequently and often less well.

Right to rectification: employees can ask you to correct inaccurate personal data. HR software needs an audit trail showing the previous value, the corrected value, and the date. Most platforms handle this through their general change history.

Right to erasure (right to be forgotten): employees can ask you to delete their data in specified circumstances. In employment, this right is often limited by other legal obligations (HMRC requires payroll records for 6 years; pension records longer). HR software should support deletion of fields where it is permitted, while preserving statutory records.

Right to data portability: employees can ask for their data in a structured, commonly used, machine-readable format. CSV or JSON export usually satisfies this, but specifically for data the employee provided (CV, application form), not data you generated about them.

Right to restrict processing: employees can ask you to pause processing of their data while a dispute is resolved. HR software should support marking a record as “restricted” without deleting it.

UK-built platforms like BrightHR, Breathe HR, Sage HR and People HR handle these rights in their general data-management features. Globally-built platforms like BambooHR, HiBob and Rippling usually have stronger structured-data tooling but require more setup to map their generic features to UK GDPR specifics.

Our verdict: SAR-readiness as a buying criterion

For UK SMEs evaluating HR software in 2026, SAR-readiness shouldn’t be the deciding feature, but it should rule out the worst options. Three rules of thumb:

1. If you employ more than 50 UK staff, prioritise structured export. HiBob and BambooHR have the strongest API-based exports among current UK mid-market options. If you receive more than two SARs a year, the time savings pay for the slightly higher platform cost.
2. If you employ fewer than 50 UK staff, almost any UK-built platform works. SAR volume at SME scale rarely justifies optimising the platform choice for it. Pick the platform that fits your wider HR needs and build a manual SAR process around it.
3. Audit your scattered data sources annually. The single biggest SAR-fulfillment cost isn’t the HR system. It’s the email, Slack, payroll, benefits portal, and line-manager files that hold employee data outside the HR system. Map those once a year.

The 2026 stop-the-clock rule helps. The exemptions help. A well-organised HR system helps. None of these substitutes for a clear internal SAR procedure that says who owns the request, who collects what, who reviews exemptions, and who signs off the response. Procedure is the difference between handling SARs as a normal HR task and handling them as an emergency every time.

For a broader view of UK HR software options across pricing tiers, see our best HR software for UK businesses roundup. For SAR-adjacent compliance topics like absence management and Bradford Factor, see the related guides in this vertical. The compliance side of HR software in 2026 rewards thoughtful procurement; SAR fulfillment is one of the most tangible day-to-day examples of that.

Olivia Grant

Head of Research & Insights

Olivia covers workforce management and people technology for UK businesses, including HR software, time and attendance systems, business mobile contracts, and digital marketing services. With over 8 years in market analysis and digital communications, she translates complex HR tech and procurement decisions into clear, actionable advice.

LinkedIn Profile →

Reviewed by

Clara Wenslow

Finance & Business Services Editor