UK GDPR Rights for Individuals

UK GDPR sets out eight rights for individuals:

1. Right to be informed: Organisations must tell you how they use your personal data through a clear privacy notice before collecting it.
2. Right of access: You can ask what personal data an organisation holds about you, why, how it is used, and who it is shared with (a Subject Access Request).
3. Right to rectification: You can ask for inaccurate or incomplete personal data to be corrected.
4. Right to erasure ("right to be forgotten"): In certain circumstances, you can ask for your data to be deleted.
5. Right to restrict processing: You can ask an organisation to limit what it does with your data while a dispute is resolved.
6. Right to data portability: You can ask for your data in a machine-readable format to transfer to another provider.
7. Right to object: You can object to processing based on legitimate interests or for direct marketing; direct marketing objections must be complied with immediately.
8. Rights in relation to automated decision-making and profiling: You have the right not to be subject to significant decisions made solely by automated systems without human review.

To exercise any of your UK GDPR rights:

• You do not need to use any specific form — a written request (email is sufficient) to the organisation's Data Protection Officer (DPO) or data controller is enough.
• The organisation has one month from receipt of a valid request to respond. This can be extended by up to two further months for complex or numerous requests, but they must tell you within the first month if an extension applies.
• Exercising your rights is generally free. Organisations can charge a "reasonable fee" or refuse to respond only where requests are "manifestly unfounded or excessive" — for example, repetitive requests made to harass.
• If an organisation holds a large amount of data about you, they may ask you to clarify your request — this pauses the one-month clock.

UK GDPR rights are not absolute. Organisations may restrict or refuse to comply with rights requests in specific circumstances, including:

• Crime prevention and detection: Police and other agencies may withhold information that could prejudice ongoing investigations.
• National security and defence: Broad exemptions apply to intelligence services and armed forces.
• Legal proceedings: Data processed for legal advice or in the context of actual or anticipated proceedings may be protected by legal professional privilege.
• Journalism, research, and public interest: Journalistic data may be exempt where disclosure would be incompatible with editorial purposes.
• Third-party data: An organisation can redact or withhold information in a SAR response where fulfilling it would reveal personal data of third parties who have not consented.

Where an exemption is claimed, the organisation should still tell you that they are withholding information and, where possible, on what grounds.

If an organisation fails to respond to your rights request, or responds inadequately:

1. Complain to the organisation first — many have a complaints process and a DPO who can resolve the matter.
2. Complain to the ICO: You can report the organisation at ico.org.uk. The ICO will assess whether the organisation has breached UK GDPR and can issue enforcement notices and financial penalties.
3. Seek compensation through the courts: Under Article 82 of UK GDPR, if you have suffered material or non-material damage (including distress) as a result of a data protection breach, you can bring a civil claim for compensation. Many such claims are brought under the small claims or fast-track procedure.

The ICO cannot award you compensation — only a court can do that. However, the ICO's findings can support a court claim.