Data protection

Type:: Letters and forms

Worker privacy notice

Use our updated template wording to review and amend your organisation’s worker privacy notice to reflect new requirements from 19 June 2026 for handling data protection complaints.

Type:: Letters and forms

Job applicant privacy notice

Use our updated template wording to review and amend your organisation’s job applicant privacy notice to reflect new requirements from 19 June 2026 for handling data protection complaints.

Type:: Letters and forms

Employee privacy notice

Use our updated template wording to review and amend your organisation’s employee privacy notice to reflect new requirements from 19 June 2026 for handling data protection complaints.

Type:: Policies and procedures

Processing special category personal data and criminal records data policy

Use our updated template wording to review and amend your organisation’s data protection policy to reflect new requirements from 19 June 2026 for handling data protection complaints.

Type:: Policies and procedures

Data protection policy

Use our updated template wording to review and amend your organisation’s data protection policy to reflect new requirements from 19 June 2026 for handling data protection complaints.

Type:: Letters and forms

Form to raise data protection complaint

Use this model form to allow an individual to raise a complaint about how the organisation has handled their personal data.

Type:: How to

How to manage the retention of employee data under the UK GDPR

From 6 April 2026, employers have a duty to keep records relating to statutory annual leave for at least six years, under provisions in the Employment Rights Act 2025.

Type:: How to

How to determine the legal grounds for processing employee data under the UK GDPR

Updated to reflect that "recognised legitimate interests" has been added as a seventh potential legal ground for processing, by the Data (Use and Access) Act 2025. The most relevant grounds for employers remain performance of a contract, legal obligations or the employer's legitimate interests.

Type:: FAQs

How does the UK GDPR affect the processing and retention of recruitment data by employers?

Updated to reflect that restrictions on automated decision-making are removed by the Data (Use and Access) Act 2025 from 5 February 2026, but that employers must still have safeguards in place.

Type:: FAQs

Can an employer use AI to make shortlisting decisions?

Updated to reflect that restrictions on automated decision-making are removed by the Data (Use and Access) Act 2025 from 5 February 2026, but that employers must still have safeguards in place.

Topics

Subtopics

New and updated

Worker privacy notice

Job applicant privacy notice

Employee privacy notice

Processing special category personal data and criminal records data policy

Data protection policy

Form to raise data protection complaint

How to manage the retention of employee data under the UK GDPR

How to determine the legal grounds for processing employee data under the UK GDPR

How does the UK GDPR affect the processing and retention of recruitment data by employers?

Can an employer use AI to make shortlisting decisions?

About this topic

Data protection: key resources

Employment law guide: Data protection - UK GDPR scope and definitions

Employment law guide: Data protection - principles for processing personal data

Employment law guide: Data protection - legal grounds for processing personal data

Data protection policy

How to manage the retention of employee data under the GDPR

Data protection impact assessment form

Employee privacy notice

Data protection: quick links

Policies and procedures

Letters and forms

How to - practical guidance

FAQs

Podcasts and webinars