Sage HR 2026: UK Post-Brexit Platform, IPA 2016 Investigatory Powers Act, ICO vs EU DPA, and the GDPR Adequacy Review Risk

Post #957 in the sota.io EU Cyber Compliance Series | EU-HR-TOOLS-SERIE Post #6 — Series Finale

This is the sixth and final post in the EU HR Software Series. The series began with the high-risk US platforms — Workday (Delaware C-Corp, CLOUD Act), BambooHR (Utah LLC, CLOUD Act) — moved through HiBob (Tel Aviv, Israel, EU adequacy with national security carve-outs), and then examined the two genuinely EU-native platforms, Personio (Munich GmbH, LOW risk) and Factorial (Barcelona SL, LOW risk). The sixth platform is Sage HR, operated by Sage Group PLC — a FTSE 100 company headquartered in Newcastle upon Tyne, United Kingdom.

The UK sits in a unique compliance position for EU data controllers: it is neither a US-jurisdiction entity (no CLOUD Act exposure) nor a fully EU-jurisdiction entity (left the EU in January 2020, UK GDPR diverges from EU GDPR, ICO is not an EU supervisory authority). The UK holds an EU adequacy decision under Article 45 GDPR — enabling EU-to-UK data transfers without additional safeguards — but that decision carries an ongoing review risk that does not exist for EU-incorporated processors like Personio or Factorial.

This post examines Sage Group's corporate structure, the Investigatory Powers Act 2016's relevance for HR data, what "UK adequate" means in practice, and where Sage HR sits in the six-platform risk comparison that closes this series.

Corporate Structure: Sage Group PLC

The Legal Entity

Sage Group PLC was founded in 1981 in Newcastle upon Tyne, England. It is incorporated under English law and listed on the London Stock Exchange (ticker: SGE), where it is a constituent of the FTSE 100 index. Sage is one of the largest UK-listed technology companies by market capitalisation, with revenue exceeding £2 billion annually and approximately 14,000 employees worldwide.

The company's registered office is at:

The Sage Group plc
North Park, Newcastle upon Tyne, NE13 9AA, England

Sage Group PLC is the ultimate parent of all Sage entities, including those providing Sage HR.

Sage HR: The Product History

The Sage HR product has an interesting corporate lineage. In 2019, Sage Group acquired CakeHR — a cloud HR platform founded in 2016 and incorporated in Riga, Latvia. CakeHR was a European-origin SaaS product designed for SMBs, built on AWS infrastructure with data centres in the EU.

After the acquisition, Sage rebranded CakeHR as Sage HR and integrated it into the Sage product portfolio as the cloud HR module for European SMBs. The Riga-origin infrastructure gives Sage HR a distinct lineage from legacy Sage on-premise products like Sage HRMS (US-market), making it more genuinely EU-cloud in its technical origins.

Sage's US Operations

Unlike Personio and Factorial — which are purely EU-incorporated and have no US parent — Sage Group PLC has significant US operations. Sage's US products include:

• Sage Intacct — cloud accounting for mid-market US companies
• Sage 50cloud — SMB accounting (formerly Peachtree)
• Sage HRMS — US-market on-premise HR (legacy)

These US operations are conducted through Sage Software, Inc. — a US subsidiary incorporated in Georgia. This creates a corporate structure with a UK parent and US subsidiary, unlike the pure EU structures of Personio (German GmbH with no non-EU parent) and Factorial (Spanish SL with no US entity).

The UK parent / US subsidiary structure is relevant to the CLOUD Act analysis below.

CLOUD Act Analysis: UK PLC vs US Subsidiary Structure

Why Sage HR Is Not Directly Subject to the CLOUD Act

The Clarifying Lawful Overseas Use of Data Act (18 U.S.C. §2713) compels domestic US persons — US-incorporated entities and those under US control — to produce customer data on US government request, regardless of where that data is stored. The statute reaches US persons and their controlled subsidiaries.

Sage Group PLC is not a US person. It is incorporated under English law, listed on the LSE, and headquartered in Newcastle. A US government subpoena directed at Sage Group PLC under the CLOUD Act framework would face jurisdictional limitations that do not apply to Workday (Delaware) or BambooHR (Utah).

This distinguishes Sage HR from the HIGH-risk platforms in this series. For EU companies using Sage HR to store employee personal data (GDPR Article 9 categories — health, trade union membership, biometrics), the CLOUD Act cannot directly compel Sage Group PLC to produce that data.

The Subsidiary Consideration

Sage Group PLC has a US subsidiary (Sage Software, Inc., Georgia). The CLOUD Act can reach US subsidiaries of foreign parents when those subsidiaries are themselves "domestic US persons." However, Sage HR Cloud — the product serving EU SMBs — is operated by Sage Group's European entities, not by the US subsidiary. Sage HRMS and Sage Intacct (the US-market products) are US-operated. Sage HR (formerly CakeHR, serving EU SMBs) is operated through the UK parent and its European infrastructure.

The practical analysis: Sage HR data for EU SMBs sits with a UK legal entity (Sage Group PLC), not with the US subsidiary. The US subsidiary has no data-processing relationship with EU Sage HR users.

CLOUD Act verdict for Sage HR: NOT directly applicable. Sage Group PLC is a UK entity; the UK-origin Sage HR product is not operated by the US subsidiary.

The Investigatory Powers Act 2016: The UK Equivalent of CLOUD Act Concerns

What the IPA 2016 Does

If the CLOUD Act is the US statutory basis for government-compelled data production, the Investigatory Powers Act 2016 (IPA) — colloquially the "Snooper's Charter" — is the UK equivalent for UK companies and services.

The IPA 2016 consolidates and extends the UK government's surveillance and data-acquisition powers. Key provisions relevant to HR cloud services:

Part 2 — Lawful Interception (Targeted Warrants):
Sections 17–73 authorise the Secretary of State to issue targeted interception warrants against communications providers operating in the UK. "Communications provider" is defined broadly in the Investigatory Powers Act to include any service provider in the UK that transmits or stores communications.

Part 5 — Equipment Interference:
Sections 99–135 authorise GCHQ, MI5, and MI6 to conduct equipment interference — accessing devices and computer systems — under warrant. An equipment interference warrant against Sage's cloud infrastructure would, in principle, allow UK intelligence to access data stored by Sage HR.

Part 6 — Bulk Powers:
Sections 136–223 authorise bulk interception warrants, bulk acquisition warrants (requiring communications providers to hand over datasets in bulk), and bulk equipment interference warrants. These powers are available for national security purposes.

Schedule 6 — National Security Determinations:
Schedule 6 allows UK ministers to make "national security determinations" requiring communications providers to take specified steps — including technical capability notices that require providers to maintain technical capabilities to intercept or access data.

The "Triple Lock" and Its Limits

The IPA 2016 introduced a "Triple Lock" oversight mechanism:

1. The Secretary of State must authorise any warrant.
2. A Judicial Commissioner (a senior judge) must independently review and approve the warrant.
3. The Investigatory Powers Commissioner's Office (IPCO) provides after-the-fact audit and oversight.

This procedural framework is frequently cited as evidence that the IPA has meaningful safeguards. However, from a GDPR compliance perspective, the oversight does not eliminate the legal capacity for UK authorities to compel access to data held by UK companies — it governs the process, not the power.

For EU data controllers using Sage HR, the practical concern is not that UK intelligence will target their specific HR records, but that a UK-incorporated service provider can be legally compelled by the UK government to produce or permit access to data under a framework the EU has scrutinised carefully.

Privacy International and the ECHR Challenge

The IPA 2016 has faced legal challenges. Privacy International brought proceedings before the UK Investigatory Powers Tribunal (IPT) and the European Court of Human Rights (ECHR) challenging the bulk interception powers under the IPA. The ECHR ruled in Big Brother Watch and Others v. United Kingdom (2021) that bulk interception under the predecessor RIPA regime violated Article 8 (right to privacy) of the European Convention on Human Rights in certain respects, prompting the UK to introduce modifications in the IPA.

These challenges do not remove the IPA's surveillance powers. They reflect the continuing tension between bulk intelligence collection and privacy rights — a tension that EU adequacy assessment bodies have monitored.

UK Adequacy Decision: The Transfer Mechanism and Its Review Risk

What the Adequacy Decision Covers

On 28 June 2021, the European Commission adopted two adequacy decisions relating to the United Kingdom under Article 45 GDPR:

• Decision 2021/1772 — for general GDPR purposes (covering commercial data transfers from EU to UK)
• A separate decision for law enforcement data transfers under the Law Enforcement Directive (LED)

Under Decision 2021/1772, EU data controllers can transfer personal data to UK-based processors (such as Sage HR) without requiring Standard Contractual Clauses or other Article 46 transfer mechanisms. The UK is treated, for data transfer purposes, as if it were an EU member state — "adequate."

The Adequacy Sunset Clause

The UK adequacy decisions include a review clause. The European Commission retained the power to review and potentially withdraw adequacy if UK data protection standards diverge materially from EU standards. This is a standard feature of adequacy decisions, but it has particular significance for the UK because:

1. The UK government has actively sought to reform its data protection framework. The Data Protection and Digital Information (DPDI) Act — eventually enacted in 2025 as the Data Use and Access (DUA) Act — introduced modifications to UK GDPR that the European Data Protection Board (EDPB) monitored closely for EU-adequacy-threatening divergence.

2. The EDPB issued Opinion 14/2021 on the UK adequacy decisions, noting concerns about the broad powers under the IPA and the adequacy decision's "national security carve-out."

3. UK adequacy is not permanent and not guaranteed. A future policy change in the UK — for example, further divergence of UK GDPR from EU GDPR, or an ECHR challenge succeeding and triggering changes that the EU Commission views as reducing UK protection standards — could result in adequacy being reviewed or withdrawn.

What Adequacy Withdrawal Would Mean for Sage HR Users

If the UK adequacy decision were withdrawn or not renewed:

• EU companies using Sage HR would need to put in place Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to continue transferring employee personal data to Sage HR's UK-operated infrastructure.
• The obligation would fall on the EU data controller (the employer using Sage HR), not on Sage HR itself.
• This is operationally manageable — SCCs are a standard transfer mechanism — but it represents additional legal documentation burden that doesn't exist with EU-native processors like Personio or Factorial.

For compliance teams, the adequacy cliff is a monitoring obligation: EU companies using Sage HR should track UK-EU adequacy status as part of their data processor inventory.

Current status (May 2026): UK adequacy is valid and in force. The EU Commission conducted its review without withdrawing adequacy. The UK Data Use and Access Act 2025 was assessed as not materially diverging from EU adequacy standards. Adequacy continues. However, the review risk remains structurally present in a way that does not exist for EU-incorporated processors.

ICO vs EU DPA: The Supervisory Authority Difference

Why It Matters Which Authority Supervises Your Data Processor

Under GDPR, the supervisory authority of a data processor's establishment is a critical element of the compliance and enforcement framework. For EU-incorporated processors:

• Personio (Munich) → Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), German DPA
• Factorial (Barcelona) → Agencia Española de Protección de Datos (AEPD), Spanish DPA

Both BayLDA and AEPD are EU supervisory authorities. They cooperate under the GDPR's one-stop-shop mechanism (Article 56), the European Data Protection Board (EDPB), and the consistency procedure. If a processor established in Germany has a cross-border processing issue, the BayLDA leads as lead supervisory authority under Article 56, with other EU DPAs as concerned authorities.

For Sage HR — a UK-established processor — the supervisory authority is the Information Commissioner's Office (ICO).

The ICO is a serious regulator. It has issued significant penalties — including a £35 million fine against British Airways (2020), a £18.4 million fine against Marriott International (2020), and ongoing investigations in AI and data brokering. But it is not an EU supervisory authority.

What the ICO Difference Means in Practice

For EU companies using Sage HR:

1. No one-stop-shop for EU-UK cross-border issues. An EU data subject complaint about Sage HR data processing goes to the EU company's local DPA, not the ICO. The ICO has no jurisdiction over EU data subjects' complaints about how EU controllers use their data — the ICO's jurisdiction relates to UK-established organisations and UK data subjects. This creates a split jurisdiction that can complicate enforcement.

2. ICO enforcement of UK GDPR, not EU GDPR. UK GDPR has diverged from EU GDPR in several respects since Brexit. Enforcement standards, guidance, and case law from the ICO do not form part of the EU GDPR interpretive framework. EU data controllers cannot rely on ICO guidance in the way they can rely on guidance from BayLDA or AEPD.

3. No EDPB cooperation. The EDPB — which harmonises GDPR enforcement across the EU/EEA — does not include the ICO. UK GDPR enforcement developments are separate from EU enforcement convergence.

For most SMBs using Sage HR for routine HR record-keeping, these jurisdictional differences are unlikely to create practical compliance problems. But for EU companies operating in regulated sectors — financial services, healthcare, public sector — where GDPR supervisory authority cooperation matters, the ICO's non-EU status is a structural difference from EU-native processors.

Infrastructure: AWS and Data Residency

CakeHR Origins: EU Data Centres

Sage HR's technical lineage from CakeHR (Riga, Latvia) means the product was built on AWS infrastructure with EU-region origins. CakeHR processed HR data for EU SMBs in AWS regions, and Sage Group has maintained EU data residency for the product.

Sage HR's cloud infrastructure uses Amazon Web Services (AWS), with primary data centres in EU regions. Sage Group's published data processing documentation indicates that Sage HR processes customer data in EU/EEA regions. This aligns with Sage's broader enterprise cloud strategy and its UK-headquartered but EU-serving positioning.

The AWS Infrastructure Layer

Like Personio (AWS Frankfurt) and Factorial (AWS Dublin/Ireland), Sage HR runs on AWS EU infrastructure. This introduces the familiar AWS-layer analysis: AWS entities in the EU (Amazon Web Services EMEA SARL, Luxembourg; Amazon Data Services Ireland Limited) are EU-incorporated entities operating under EU law, with their own CLOUD Act analysis.

The Sage → AWS layer does not reintroduce US CLOUD Act risk at the Sage level. The analysis for Sage HR's cloud infrastructure layer is substantially the same as for Personio and Factorial: AWS's EU entities are not directly subject to CLOUD Act orders, and data stored in AWS EU regions is processed by EU-incorporated AWS entities.

EU-HR-TOOLS-SERIE: Complete 6-Platform Comparison

This series has now examined all six platforms. The complete risk comparison:

Why Sage HR Is MEDIUM (Not HIGH, Not LOW)

Not HIGH: Sage Group PLC is not a US person. The CLOUD Act does not compel UK companies to produce data. Sage HR (formerly CakeHR) is operated by Sage Group's UK/European entities, not by the Georgia subsidiary. There is no direct US CLOUD Act exposure for EU-origin employee data held in Sage HR.

Not LOW: Three structural factors prevent LOW risk:

1. IPA 2016 — UK surveillance law with broad scope for UK-established companies. Not equivalent to CLOUD Act in terms of extraterritorial reach, but creates government-compellable access risk that does not exist for EU-incorporated processors.
2. Adequacy review risk — UK adequacy is not permanent. A policy or legal change in the UK could trigger adequacy withdrawal, requiring EU controllers to implement SCCs for Sage HR data transfers.
3. ICO not EU DPA — UK GDPR enforcement diverges from EU GDPR. ICO is a non-EU supervisory authority, creating split-jurisdiction complexity for EU data subjects with complaints about UK-established processors.

GDPR Article 9 Considerations for HR Data

Sage HR processes GDPR Article 9 categories for many European customers:

• Health data — sick leave records, medical accommodations, return-to-work documentation
• Trade union membership — required for payroll deductions in many EU jurisdictions
• Disability status — accommodations, ESS adjustments
• Biometric data — time-tracking via fingerprint or facial recognition (where enabled)

For Art.9 data, controllers need to satisfy both a lawful basis (typically Art.6(1)(b) — performance of contract of employment) and an Art.9(2) exception (typically Art.9(2)(b) — employment law obligations). The processor (Sage HR) must have adequate security measures under Art.32.

The UK adequacy decision enables EU-to-UK transfer of Art.9 HR data without SCCs. If adequacy lapses, Art.9 data for EU employees stored in Sage HR would require SCCs — and the Schrems II transfer impact assessment (TIA) framework would need to account for IPA 2016 risks.

Practical Guidance for EU DPOs Using Sage HR

Current compliance posture (May 2026):

1. UK adequacy is valid. No SCCs required for EU→UK data transfers to Sage HR today.

2. CLOUD Act exposure: None direct. Sage Group PLC is UK-incorporated; the CLOUD Act does not compel UK entities to produce data. Include this analysis in your ROPA and TIA documentation.

3. IPA 2016: Document and monitor. The IPA creates a disclosure risk that is lower probability than CLOUD Act for commercial HR data, but it exists. Document the IPA risk in your DPA agreement with Sage HR and your TIA.

4. ICO jurisdiction: Note in ROPA. Your Data Protection Agreement with Sage HR will reference the ICO as the supervisory authority for Sage's processing. For cross-border GDPR issues involving EU data subjects, your local EU DPA is the relevant authority for your controller obligations; the ICO regulates Sage's processor obligations.

5. Monitor UK adequacy status. Subscribe to the EU Commission's adequacy decision updates. If UK adequacy enters a review or withdrawal process, you will need to implement SCCs promptly. Maintain Sage HR's contact details and DPA documentation in a state ready for SCC amendment.

6. Consider EU-native alternatives for high-sensitivity use cases. For EU companies in regulated sectors (financial services, healthcare, public sector) processing large volumes of Art.9 HR data, the structural simplicity of EU-native processors like Personio or Factorial — no adequacy monitoring, EU DPA jurisdiction, no IPA 2016 analysis — may justify a platform evaluation.

Why EU-Native HR Platforms Have a Structural Advantage

The six-platform series reveals a clear pattern:

The compliance overhead grows as you move away from EU jurisdiction:

• EU-native (Personio/Factorial): No transfer mechanism needed. EU DPA supervision. No foreign surveillance law. Lowest documentation burden.
• UK-based (Sage HR): Adequacy decision required. ICO jurisdiction. IPA 2016 assessment. MEDIUM documentation burden.
• Non-EU adequate (HiBob/Israel): Adequacy decision required + national security carve-out analysis. Multiple surveillance law jurisdictions (Israel, UK sub, US presence). MEDIUM-to-HIGH burden.
• US-based (Workday/BambooHR): SCCs required. CLOUD Act TIA. US surveillance framework (FISA, NSL, ECPA) analysis. DPA negotiations. Highest burden.

For EU HR teams making procurement decisions, jurisdiction is not a minor checkbox. It determines years of ongoing compliance monitoring, DPA documentation, and legal exposure assessment.

Conclusion: Sage HR MEDIUM Risk, Series Verdict

Sage HR is a credible HR platform for EU SMBs with a MEDIUM compliance risk profile. It is not the HIGH-risk US platforms (Workday, BambooHR), and for most EU SMBs today — with UK adequacy valid — it functions comparably to EU-native platforms in day-to-day compliance terms. But it carries structural risks that Personio and Factorial do not: the IPA 2016, an adequacy decision that requires monitoring rather than being permanently embedded in EU law, and an ICO supervisory jurisdiction that creates split-jurisdiction complexity.

The series verdict is clear: EU-native beats UK beats US-with-EU-subs beats pure US, in descending order of compliance simplicity. For EU companies prioritising GDPR data sovereignty with minimal ongoing compliance overhead, Personio and Factorial sit at the LOW end of the risk spectrum for HR platforms. Sage HR — a legitimate and capable platform — adds a layer of post-Brexit compliance complexity that EU-native alternatives avoid.

EU-HR-TOOLS-SERIE: All Six Posts

• Post #1: Workday EU Alternative 2026 — Delaware C-Corp, CLOUD Act, GDPR Art.9 Employee Data
• Post #2: BambooHR EU Alternative 2026 — Utah LLC, CLOUD Act, GDPR Art.9 SMB HR Data
• Post #3: HiBob EU Alternative 2026 — Tel Aviv Israel, EU Adequacy, GDPR Art.9
• Post #4: Personio EU Alternative 2026 — Munich GmbH, No CLOUD Act, GDPR by Design
• Post #5: Factorial EU Alternative 2026 — Barcelona SL, AEPD, EU-Native
• Post #6: Sage HR 2026 — UK Post-Brexit, IPA 2016, ICO, Adequacy Review (this post)