Go Back
Blog

Data Privacy Risks from the Great Resignation

As we move through 2026, the "Great Resignation" has evolved into a permanent state of talent mobility, and the UK’s data protection landscape has shifted significantly. The Information Commissioner’s Office (ICO) is no longer operating under the 2022 status quo.

As we move through 2026, the "Great Resignation" has evolved into a permanent state of talent mobility, and the UK’s data protection landscape has shifted significantly. The Information Commissioner’s Office (ICO) is no longer operating under the 2022 status quo.

Following the passage of the Data (Use and Access) Act 2025 (DUAA), which began its phased implementation in late 2025 and early 2026, HR teams face a new reality.

The New Regulatory Landscape: DUAA 2025

The UK has officially moved toward a more "pragmatic" post-Brexit framework. While many core GDPR principles remain, the DUAA has introduced key changes that specifically impact how HR manages employee data:

  • Vexatious Requests: Organizations can now refuse DSARs that are deemed "vexatious or excessive." This is a lower bar than the previous "manifestly unfounded" standard, providing HR a defensive shield against disgruntled former employees using DSARs as a weapon.
  • Complaints First: Data subjects are now required to attempt to resolve their complaints directly with the organization before escalating to the ICO. This places a heavier "first responder" burden on HR.
  • Reasonable Searches: The law now clarifies that HR only needs to conduct "reasonable and proportionate" searches. You are no longer legally expected to find the proverbial needle in a haystack of a 20-year email archive if the cost is disproportionate.

Data Risks in a Hybrid, AI-Powered Workplace

The risks Ray Pathak identified in 2022 have been amplified by two major 2026 trends: Shadow AI and Permanent Hybridity.

1. The "Shadow AI" Exfiltration Risk

In 2026, the biggest threat isn't just a USB stick; it’s generative AI. Resigning employees frequently feed proprietary data (customer lists, strategy docs, or internal HR policies) into unauthorized AI tools to "summarize" or "rewrite" them for their next role. This constitutes a significant data breach and often lands in "unmanaged" LLM training sets.

2. The Unstructured Data Explosion

With the UK having the second-highest adoption of hybrid work globally, employee data is more fragmented than ever.

  • Ephemeral Messaging: Work-related conversations on WhatsApp, Signal, and Teams "huddles" are now primary targets for litigation and DSARs.
  • Audio/Video Logs: Automated meeting recorders (AI note-takers) have created a massive new category of unstructured PII that many HR teams aren't even tracking in their data inventories.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information