Data subject rights under UK GDPR — all eight
UK GDPR gives individuals eight distinct rights over their personal data. Each right requires an operational procedure — not just a policy statement — and most must be responded to within one calendar month. The ICO receives more complaints about failure to respond to data subject rights requests than about almost any other matter. Having a documented procedure for each right is both a legal requirement and a practical protection.
1. Right of access — Article 15
Individuals have the right to obtain confirmation that their data is being processed and, if so, to receive a copy of that data together with supplementary information about the processing. This is the Subject Access Request right. Responses must be provided free of charge within one calendar month. For a detailed guide to handling SARs, see How to handle a Subject Access Request.
2. Right to rectification — Article 16
Individuals have the right to have inaccurate personal data corrected without undue delay. They also have the right to have incomplete data completed, including by providing a supplementary statement. The controller must respond within one month. Where data has been disclosed to third parties, they must be notified of the rectification where feasible, unless this is impossible or involves disproportionate effort.
3. Right to erasure — Article 17
Individuals have the right to have their personal data erased without undue delay in specific circumstances: where the data is no longer necessary for the original purpose; where consent is withdrawn and there is no other lawful basis; where the individual objects and there are no overriding legitimate grounds; where the processing was unlawful; or where erasure is required by law.
The right to erasure is not absolute. Article 17(3) lists circumstances where it does not apply — most relevantly for businesses, where retention is necessary for compliance with a legal obligation (such as MLR 2017 for AML-regulated firms), for the establishment or defence of legal claims, or for exercising the right of freedom of expression and information. The exemption must be assessed and documented for each request.
4. Right to restriction of processing — Article 18
Individuals can request that processing is restricted — meaning the data can be stored but not otherwise used — in four circumstances: where they contest the accuracy of the data (restriction applies while accuracy is verified); where the processing is unlawful but they prefer restriction to erasure; where the controller no longer needs the data but the individual needs it for legal claims; or where they have objected and the controller is assessing whether legitimate interests override the objection.
During a period of restriction, data may be stored but not processed. Before lifting a restriction, the individual must be informed. Third parties to whom the data was disclosed must be notified of the restriction.
5. Right to data portability — Article 20
Individuals have the right to receive personal data they have provided to a controller in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. The right applies only where processing is based on consent or contract, and is carried out by automated means. It does not apply to processing under other lawful bases or to manual records.
In practice, this right most commonly applies to consumer services — social media, financial services, health apps — where individuals want to move their data between providers. For most B2B or professional services organisations, the scope of the portability right is limited.
6. Right to object — Article 21
Individuals can object to processing based on legitimate interests or public task at any time. Where an objection is received, processing must stop unless the controller can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
Where processing is for direct marketing, the right to object is absolute — if an individual objects to their data being used for direct marketing, processing for that purpose must stop immediately with no assessment of overriding grounds. The individual must be informed of this right explicitly and separately from other rights in the privacy notice.
7 & 8. Rights related to automated decision-making — Articles 22
Individuals have the right not to be subject to decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects on them. Where such processing does occur (for example, automated credit decisions or insurance pricing), specific conditions must be met: either explicit consent, necessity for a contract, or authorisation by law. Safeguards must include human review, the ability to contest the decision, and an explanation of the decision.
The right to an explanation of automated decisions is supported by UK GDPR Article 13/14 transparency requirements — individuals must be informed at the point of data collection that automated decision-making is used, what the logic involves, and the significance and consequences of the processing.
Operational procedures required
Each of the eight rights requires a documented procedure — not just awareness that the right exists. At minimum, every organisation must have: a process for recognising and logging rights requests (in whatever format they arrive); a process for verifying identity before responding; a system for tracking the one-month response deadline; a process for assessing exemptions where they may apply; and a record of each request and its outcome.
The ICO does not accept that failure to respond was due to the request not being recognised as a formal rights request. If a communication clearly conveys that an individual wants access to, correction of, deletion of, or objection to processing of their data — it is a rights request and the response deadline applies.