What GDPR Data Subject Rights do I have in the UK?

Published on: 22nd December 2018

You have 10 Rights as a Data Subject as a UK resident under GDPR, as defined on the Information Commissioner's website.

You have a right ...

  1. to be informed if your personal data is being used
  2. to get copies of your data
  3. to get your data corrected
  4. to get your data deleted (aka. the "Right To Be Forgotten")
  5. to limit how organisations use your data
  6. to data portability (so you can move it from one organisation to another)
  7. to object to the use of your data
  8. to know about and object to decisions being made about you from your data without human involvement
  9. to access information from a public body
  10. to raise a concern about how an organisation is using your data

A full definition of what these rights cover can be found at the ICO website.

Requesting action based on your rights

Any request you raise for a response from an organisation about your personal data is known as a "Subject Access Request", or SAR. You can invoke this request this verbally, or in writing and the ICO says;

"[the organisation] must act on the subject access request without undue delay and at the latest within one month of receipt."
from the ICO website

You will probably be asked for some form of proof of identity which is intended to stop any mischief and improper invocation of SARs.

Once your identity is confirmed, the organisation will address your request.

If they do not respond adequately to your request you can escalate the issue by informing the ICO of your complaint and concerns.

Help for organisations to process SARs

If you are an organisation in receipt of a SAR you will have to ensure you deliver the response in this timeframe. We have a software solution that can help you manage Subject Access Requests when they arise.


PYXI GDPR Team: 22nd Dec 2018 15:02:00