Digitise \ Capture \ Integrate

020 7732 3223
Contact Us

One Month on the Clock: Why Retrieval Readiness Is the Records Management Story of 2026

Alasdair Ebeling

Alasdair Ebeling

Contact the Digital Transformation Experts

Ready to start your digital transformation journey? Contact Dajon today for a free no-obligation consultation!

Contact Us

It’s a Monday morning in April. Your HR director forwards an email from a solicitor acting for a former employee. Attached is a subject access request, alongside notice that the individual is preparing an employment tribunal claim. The request covers nine years of employment, two internal grievances, and a disciplinary process that ran through 2021.

The one-month clock has started.

The records sit in four places. The current HRIS holds everything from 2019 onwards. An archived HRIS from an acquisition the business never fully migrated holds everything before that. A set of scanned PDFs on a shared drive was produced in a rush during the pandemic. And several boxes of paper personnel files sit in a third-party storage unit that was last opened in 2020. The disciplinary correspondence lives in the former line manager’s email trail, which was left open when they departed in 2022.

You have 30 calendar days to retrieve it all, review it for relevance, redact third-party personal data, and produce a defensible disclosure pack. That is before the HR team gets on with the other forty things they were doing on Monday morning.

This is the retrieval problem. For regulated UK organisations in 2026, it has stopped being a productivity issue and become a compliance one.

Why personnel records are the canary in the coal mine

Employees and ex-employees are among the most frequent subject access request requesters, particularly around grievances, disciplinary processes, exits, and tribunal claims. That pattern alone would make personnel records a priority for retrieval readiness. But personnel records have a second, less commented-upon problem: They are typically the worst-organised records estate in the business.

Sales and customer records live in a CRM. Finance records live in a finance system. Client records in regulated sectors live in bespoke platforms subject to regulatory inspection. Personnel records, by contrast, are spread across HRIS platforms, shared drives, paper archives, departed managers’ inboxes, informal manager notes, and third-party payroll and benefits systems. For long-tenured staff and for organisations that have grown through acquisition, the estate is often genuinely unknowable in its totality.

We recently completed a personnel records digitisation project for a large multi-site food producer in the UK. The engagement covered just over 7,600 paper personnel files distributed across twelve sites, with the earliest records dating back to the year 2000. Some digitisation work had been undertaken previously by others, but a substantial paper estate remained – which is a pattern we see frequently. Partial digitisation projects often stall when the easy material has been captured, and the difficult material (poor-condition paper, mixed formats, inconsistent naming, distributed physical storage) is what’s left. The business wasn’t holding records it didn’t need – on review, a negligible proportion of the estate was past its retention period – but it was holding records it couldn’t quickly access. The single most valuable outcome of the project, according to the client, wasn’t storage footprint or compliance posture. It was simply the ability to get hands on a record when one was needed.

If you want to understand how retrieval-ready your organisation actually is, audit your personnel records estate first. Whatever you find there is very likely what you’d find elsewhere if you looked hard enough.

The clock that really matters

Under the UK GDPR, a controller must respond to a subject access request “without undue delay” and at the latest within one calendar month of receiving the request[1]. The deadline runs to the same calendar date a month later, regardless of weekends or bank holidays. For complex requests, or where a requester has submitted multiple requests, the controller may extend the response window by up to two further months – but must notify the requester of the extension, and the reasons for it, within the original one-month period.

That has been the position since 2018. What’s new is the Data (Use and Access) Act 2025, which became law on 19 June 2025 and introduced a “stop the clock” provision. Under the new rules, organisations can pause the response timeline while they wait for a requester to clarify or refine a request, or to provide additional information – without risking the deadline in the meantime[2]. The Act also codifies existing case law around what counts as a “reasonable and proportionate” search.

It would be easy to read the new provision as a relaxation. It isn’t. The stop-the-clock mechanism applies only when the controller is waiting for the requester, not when it’s scrambling to find its own records. And the codification of “reasonable and proportionate” raises, rather than lowers, the bar – an organisation that claims its search was reasonable under the new statutory formulation will need to demonstrate it, not merely assert it. What the Act really tells us is that Parliament has accepted retrieval at scale is hard, and has chosen to tighten the framework around it rather than ease the underlying obligation.

What happens when you miss it

In December 2024, the Information Commissioner’s Office reprimanded an NHS Trust for failing to respond to 32% of subject access requests within the statutory one-month timeframe. The reprimand cited inadequate systems for logging and managing SARs, and difficulties ensuring the accuracy and completeness of data required to fulfil the requests[3]. The Trust’s problem was not a refusal to comply. It was an inability to retrieve.

In March 2025, the ICO issued similar reprimands to two Scottish councils for repeated failures to meet the SAR deadline. And in September 2025, the regulator went further. The director of a care home in Bridlington was convicted under section 173 of the Data Protection Act 2018 for blocking, erasing or concealing records to prevent them being disclosed in response to an SAR. A woman had requested personal data about her father using a lasting power of attorney, including incident reports, CCTV footage, and care notes. The court fined the director £1,100 and ordered him to pay £5,440 in costs[4].

The case is modest in its financial scale, but its significance is out of proportion to the numbers. It’s the first successful section 173 prosecution of this kind, and it demonstrates that individuals – not just organisations – can now be criminally liable for obstructing disclosure. For directors, senior managers and data protection leads in regulated businesses, that is a material change in the personal risk calculus of poor records management.

What emerges from the enforcement pattern is not a random selection of unfortunate organisations. It’s a consistent picture of entities that couldn’t retrieve what they held in the time the law requires. In almost every reprimanded case, the records existed. The systems didn’t.

Why retrieval fails in regulated businesses

Most retrieval failures trace back to five root causes, and most organisations have at least three of them.

The first is records held in formats that cannot be searched. The classic example is the twenty-year paper personnel file, complete with handwritten annotations. The modern equivalent is the scanned PDF produced by a rushed lockdown-era digitisation project, where the document is effectively a photograph of a page rather than text that can be searched or indexed. From a retrieval perspective, a non-OCR’d scan is little better than the paper it replaced.

The second is the absence of meaningful classification. On review, most organisations cannot tell at a glance which folder contains disciplinary records, which contains reasonable adjustments correspondence, and which contains training logs. Without a classification scheme that reflects the actual shape of the business, searches become exhaustive rather than targeted – and exhaustive searches don’t finish inside a one-month window.

The third is the retention schedule that lives on paper but isn’t enforced in systems. Policy says records should be disposed of after a defined period. Reality is that the shared drive contains everything that was ever placed on it, and the archive contains everything that was ever sent to it. The estate ends up holding records that should have been disposed of years ago, and, in some cases, missing records that should still be held.

The fourth is legacy systems inherited through mergers, acquisitions, or migrations. The HRIS from the 2019 acquisition is still running read-only because nobody trusts the migration. It holds records for 40% of the current workforce. Nobody has a live account to query it directly, so when the records are needed, someone has to raise an IT ticket. When you have thirty days to respond to an SAR, that’s a problem.

The fifth is shadow records: Manager notes on personal devices, team discussions in messaging platforms, performance observations that never made it into the formal record. These are often the records that would be most relevant to a tribunal claim, and the hardest to produce.

Most of these problems have practical answers – searchable digitisation with OCR and structured metadata for the first, data migration services for the fourth – but they are governance problems before they are technical ones, and they need to be treated as such.

What retrieval readiness looks like

A retrieval-ready records estate has a small number of distinguishing characteristics. Records are held in searchable formats, with OCR applied to scanned documents and structured metadata attached at the point of capture. The classification scheme reflects the actual operational shape of the business, so a request for “all disciplinary correspondence” can be narrowed without reading every record in a general HR folder. Retention rules are enforced in the systems themselves, not merely stated in policy documents – records are disposed of, or flagged for disposal, when they fall out of their retention window. Access logs are comprehensive enough to demonstrate a defensible search methodology to the ICO if challenged.

And critically, there is a single operational playbook for responding to an SAR that the HR, legal, and IT functions have all agreed to in advance. The playbook defines who acknowledges the request, who runs the searches, who reviews for relevance and third-party data, who approves redactions, and who signs off the disclosure pack. It nominates backup owners for every role. It includes the clarification questions most frequently needed in practice, so the stop-the-clock provision can be invoked quickly and legitimately when it applies. It specifies the external partners and records-custody providers the organisation can call on if the internal team is stretched.

None of this is glamorous. It’s the connective tissue that sits between a regulatory requirement and an operational estate, and most organisations underinvest in it because, on any given day, none of it feels urgent. The investment only demonstrates its value when the request lands, the clock starts, and the team has to produce. That’s usually the wrong moment to discover the gaps.

RIMM as a prompt, not a calendar entry

Records and Information Management Month has been observed internationally every April since 2003, when ARMA International expanded what had begun in 1995 as a single day of awareness into a month-long observance[5]. The original intention was to draw attention to records management as a discipline – a purpose that is, if anything, more relevant in 2026 than it was three decades ago.

The most useful way to treat RIMM isn’t as a week of awareness posts. It’s as an annual checkpoint. Pick one high-risk record class – personnel records are the obvious starting point, for the reasons discussed above. Run a simulated retrieval exercise against it: Nominate a recent joiner, a recent leaver, and a long-tenured member of staff, and attempt to produce the disclosure pack you would produce if each of them had filed an SAR that morning. Measure how long it takes, how complete it is, and where it breaks down.

If the answer is “not close enough to a 30-day deadline”, that is what the following twelve months of work look like. Dajon helps regulated organisations scope, plan, and deliver that work – starting with the personnel records estate, because it’s where the risk and the return on investment tend to be highest.

References

  1. What should we consider when responding to a request? ICO[]
  2. Data (Use and Access) Act factsheet: UK GDPR and DPA GOV.UK[]
  3. ICO enforcement actions: Latest trends and insights Lexology[]
  4. When Ignoring a GDPR Subject Access Request Becomes a Crime Act Now Training[]
  5. Records and Information Management Month National Today[]

Related posts

Principles of Data Protection: What IT Leaders Need to Know in 2026
What Data Management Will Really Look Like in 2026
Data Minimisation: Are You Collecting More Data Than You Need?
GDPR Article 25: What “Privacy by Design” Actually Means for Your Business
Don’t Shred It, Scan It