UK GDPR gives individuals eight core rights over their personal data. These rights apply whenever a UK organisation — or an organisation processing UK residents' data — holds information about you. Exercising these rights is free, and organisations are required to respond within one month. Failure to comply can result in ICO enforcement action and compensation claims.
1. The right to be informed
Organisations must tell you what personal data they hold about you, why they process it, who they share it with, and how long they keep it. This information is typically provided in a privacy notice (privacy policy). You have this right at the point your data is collected — not something you need to request.
If an organisation obtained your data from a third party rather than directly from you, they must inform you within one month of obtaining it.
2. The right of access (Subject Access Request)
You can request a copy of all personal data an organisation holds about you. This is called a Subject Access Request (SAR). The organisation must respond within one month and provide the information free of charge.
To make a SAR, contact the organisation in writing (email is sufficient) and identify yourself. You do not need to use any special form or language — simply asking "please provide a copy of all personal data you hold about me" is enough.
Organisations can extend the deadline by two months for complex or numerous requests, but must tell you within the first month if they are doing so.
3. The right to rectification
If personal data held about you is inaccurate or incomplete, you have the right to have it corrected. Organisations must respond within one month. If they disagree that the data is inaccurate, they must tell you why and document the dispute.
4. The right to erasure ("the right to be forgotten")
You can request that an organisation delete your personal data. This right applies when:
- The data is no longer necessary for the purpose it was collected
- You withdraw your consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
- The data must be erased to comply with a legal obligation
The right to erasure is not absolute. Organisations can refuse if they need the data to comply with a legal obligation, exercise legal claims, or for reasons of public health or scientific research.
5. The right to restrict processing
You can ask an organisation to pause processing your data without deleting it — for example while a complaint is being investigated. During restriction, the organisation can only store the data, not process it for other purposes (without your consent or for legal claims).
6. The right to data portability
Where you provided your data to an organisation and processing is based on your consent or a contract, you can request that data in a structured, machine-readable format (such as CSV or JSON) so you can transfer it to another service. This right applies to automated processing — not to manual records.
7. The right to object
You can object to processing based on legitimate interests or public task, including profiling. The organisation must stop processing unless it can demonstrate compelling legitimate grounds that override your interests. For direct marketing, the right to object is absolute — organisations must stop immediately with no grounds to override.
8. Rights related to automated decision-making
You have the right not to be subject to solely automated decisions that have a significant legal or similarly significant effect on you — such as automated loan decisions, recruitment screening, or insurance pricing. You can request human review of such decisions and challenge them.
What to do if an organisation doesn't respond
If an organisation ignores your request, responds late, or refuses without good reason, you have two options:
- Complain to the ICO at ico.org.uk/make-a-complaint — free, and the ICO can compel compliance
- Take legal action — you can apply to court to enforce your rights and claim compensation for damage suffered
Compensation after a data breach
If an organisation's failure to comply with data protection law has caused you damage — financial loss or distress — you may be entitled to compensation under UK GDPR Article 82. See our guide to data breach compensation and use the Data Breach Compensation Calculator to estimate what you may be owed.