FAQs - May 2026

Last reviewed: 30.04.2026

  1. Should we update our GDPR documentation to take account of changes introduced by the Employment Rights Act 2025 and/or other new legislation?

  2. What is happening with ethnicity and disability pay gap reporting? 

  3. Where can we find out the latest statutory rates for family related leave?

  4. One of our employees has told us that they have been prescribed medical cannabis. How should we handle this?

  5. How will the rules around non-disclosure agreements change under the Employment Rights Act 2025?

Q&As


1. Should we update our GDPR documentation to take account of changes introduced by the Employment Rights Act 2025 and/or other new legislation?

Yes, when handling personal data of staff and job applicants, employers are obliged to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and demonstrate that they are complying with its principles. In practice, this requires employers to have specific data protection documents in place, and to keep these up to date. There have been some recent legislative changes which mean that now is a good time to review your documentation.

The following changes contained in the Employment Rights Act 2025 may impact the data retention periods in your data protection documentation:

  • A new obligation to maintain records relating to statutory holiday for six years took effect in April 2026.
  • An increase in time limits for bringing employment tribunal claims from three to six months is expected to take effect (no earlier than October 2026). You should also bear in mind that time limits for Acas early conciliation have increased from six to twelve weeks.

In addition, the Data Use and Access Act 2025 (DUAA) is now in force. This introduces changes to the UK GDPR, which you should consider reflecting in your UK GDPR documentation, including the following:

  • The codification into statute of provisions in the ICO guidance which enable an employer to limit searches to reasonable and proportionate efforts when dealing with subject access requests.
  • A new statutory right for individuals to raise complaints directly with their employer if the individual believes that their employer has breached their data protection rights. The employer must respond within 30 days.
  • The addition of a new lawful basis for processing personal data known as “recognised legitimate interests”, which allows employers in limited situations (such as crime prevention, safeguarding or responding to emergencies) to process personal data without carrying out a full legitimate interests balancing test.

For more details about the DUAA, see the ICO summary document.

Keep in mind that the type of personal data that you process about your staff and how you handle it is likely to evolve over time, so your documentation should reflect the personal data you hold and what you do with it in practice. Be aware too that if it is some time since you reviewed your UK GDPR documentation, you could also have missed other relevant changes to ICO guidance, which could impact your UK GDPR compliance.

We therefore recommend that you review and, where necessary, update your UK GDPR documentation regularly to ensure ongoing compliance. For example, you should review your employee/job applicant privacy notices, data protection policy, record of processing and appropriate policy document to reflect the legislative changes described above, including reviewing retention periods of HR personal data. We also recommend that you review internal processes and guides which set out how long you retain HR personal data, how data protection breaches should be handled and the process for dealing with individual rights requests (such as subject access requests).

Make UK can provide an updated pack of essential template GDPR documents (see here).

If you are a Make UK subscriber, you can also access information about HR data protection matters in the HR and Legal Resources section of our website.

If you are not a Make UK subscriber, you can contact us for further support on this topic or to access our resources. Please click here for information on how we can help your business.

2. What is happening with ethnicity and disability pay gap reporting?

Following its consultation on mandatory ethnicity and disability pay gap reporting last year, the Government has published the response which confirms its intention to introduce mandatory ethnicity and disability pay gap reporting for large employers (i.e. those with 250 or more employees). 

The proposed legal framework broadly mirrors the current gender pay gap reporting regime.  Employers will need to publish the same six pay gap measures which are currently used for gender pay gap reporting, and the same snapshot dates used for data collecting and reporting will apply. Employers will be required to upload their ethnicity and disability pay gap data to an online reporting service and will be subject to the same enforcement mechanisms as with gender pay gap reporting. (For further information on the gender pay gap reporting framework, see our webpage Gender pay reporting.)

(Note that, as with gender pay gap reporting, employers with fewer than 250 employees will not be required to report on their ethnicity and disability pay gaps, but they will be encouraged to do so voluntarily.)

For ethnicity pay gap reporting, employers will need to collect ethnicity data using the ethnicity classifications set out in the Government Statistical Service’s (GSS) harmonised ethnicity standard. Ethnicity pay gaps should be reported with the minimum of a binary comparison between White (including White Other) and all other ethnic groups combined. However, if numbers within a group reach a minimum threshold (likely to be 10 employees, although still under consideration), employers must also report comparisons between the five broad ethnic groups identified in Government guidance to employers reporting ethnicity pay gaps voluntarily (i.e. White, Asian or Asian British, Black/Black British/Caribbean or African, Mixed or multiple ethnic groups, and Other ethnic groups).

For disability pay gap reporting, employers will need to compare disabled and non-disabled employees using the definition of disability set out in the Equality Act 2010. As with ethnicity reporting, the threshold for reporting on disability pay gaps is likely to be at least 10 employees in each group being reported on.

As well as reporting on the pay gaps, employers will need to provide details of the overall composition of their workforce by ethnicity and disability (referred to as ‘workforce reporting’), and the proportion of employees who choose not to disclose their ethnicity and/or disability status (‘declaration rates’).

Notably, employers will also be required to publish action plans setting out the steps they are taking to tackle any ethnicity and/or disability pay gaps they have identified. This will expand on, and align with, the requirement for employers to produce action plans covering steps to reduce the gender pay gap and support employees going through the menopause. (For further information on equality action plans, see our ⁣Action on Equality: Spotlight)

The Government has indicated that these changes will come into force via a new Equality (Race and Disability) Bill, a draft of which may be published in 2026. (We also expect such draft Bill to include various measures aimed at making it easier for disabled people and ethnic minorities to bring equal pay claims.) 

Although it is likely to be some time before these new measures come into force, employers should start taking preparatory steps now to minimise the potential risks that could arise from these changes.  In particular, now is a good time to review your HR and payroll systems to ensure they can collect the necessary ethnicity, disability and pay-related data. You should also review your information storage policies to ensure they comply with the GDPR requirements for special category personal data. You may need to encourage members of your workforce to voluntarily disclose the data you require for these purposes, which will require you to consider carefully how best to prepare relevant internal communications. The Government has indicated that regulations will set out the detailed ethnicity and disability reporting requirements and that guidance and practical tools will be developed to support employers with the new reporting requirements.

If you are a Make UK subscriber, you can speak to your regular adviser for guidance on pay related matters. Our HR consultancy team also has a wealth of experience to help you with preparing for these new reporting requirements.

If you are not a Make UK subscriber, you can contact us for further support. Please click here for information on how we can help your business.

3. Where can we find out the latest statutory rates for family related leave?

If you are a Make UK subscriber, you can find a list of the latest family related leave pay rates (as well as other rates such as statutory sick pay and national minimum wage rates, plus employment tribunal rates and limits) in the Rates and limits from April 2026 webpage in our HR and Legal Resources.

If you are not a Make UK subscriber, our expert HR and legal advisers can offer guidance on a consultancy basis. For further information, click here

4. One of our employees has told us that they have been prescribed medical cannabis. How should we handle this?

This is sensitive issue which needs to be handled carefully depending on the specific circumstances. 

At the outset is worth noting that if an employee takes medical cannabis without a valid prescription, an employer will generally be entitled to treat that as a misconduct issue, as in the United Kingdom cannabis remains illegal to possess and use. However, where an employee has a valid prescription for medical cannabis, imposing a blanket ban (for example telling the employee “you cannot work here if you take it”) could have legal risks and potentially open the employer to discrimination claims. 

Broadly speaking, it is generally best for an employer to treat the use of prescribed medical cannabis in the same way as any other medication, including setting appropriate safeguards around the impact of any side effects and taking a fair, evidence-based approach.  

As an employer you can set and enforce clear workplace rules about fitness for work, safety and conduct, in the same way you would with any other medication that may impair an individual’s ability to carry out their role. In particular, you can focus on the objective issue of whether the employee is “fit for duty” and the specific risks relating to the individual’s role. It is legitimate, for example, to ask whether the prescribed medication could impair the individual’s performance or amount to a health and safety risk, especially for roles in safety‑critical work environments, such as where the individual needs to operate heavy machinery.  

Depending on the specific role and medical advice in question, it may be reasonable to require that the employee does not attend work after they have taken the prescription, and (if the circumstances and level of risk justify doing so) require that the employee does not take doses during working hours or bring the medication on site - but only where that restriction is proportionate and based on evidence. 

If you are a Make UK subscriber, you can speak to your regular adviser for further guidance. 

If you are not a Make UK subscriber, you can contact us for further support on this topic or to access our resources. Please click here for information on how we can help your business. 

5. How will the rules around non-disclosure agreements change under the Employment Rights Act 2025?

Under the Employment Rights Act 2025, an employer will not be able to misuse non-disclosure and non-derogatory/non-disparagement agreements (which together we are referring to as ‘NDAs’) to stop a worker from making relevant harassment or discrimination allegations. It also won’t be able to stop the worker talking about the employer’s response to the harassment or discrimination, or how it responded when the allegation was made (for example, if the employer has failed to investigate an allegation, or gave a poor performance review as a result of a relevant allegation). 

Employers will still be able to use NDAs in agreements that meet specific conditions for an ‘excepted agreement’, such conditions to be set out in regulations. Regulations may also be made to set out who workers with excepted agreements can still speak to, and to extend the protection against misuse of NDAs to a wider category of workers. A Government consultation is currently underway on these and related issues - please email our Policy Team if you would like to contribute.

These changes will have a significant impact on the settlement of harassment and discrimination allegations, as well as the wording around confidentiality which is used in contracts and policies. It is expected that the changes will take effect in 2027, and will apply to any NDA made between the employer and the worker after the commencement date. We expect the detail to be set out in regulations in due course. 

You can read more about these plans, including how Make UK can help you to prepare, in our ⁣Non-Disclosure Agreements (NDAs): Spotlight.

To read more about other Government consultations that are currently “live” see question 5 of our ⁣HR and Employment Law FAQs April 2026.