Understanding data subject rights UK GDPR requirements is essential for any UK business that handles personal data. These rights allow individuals to ask what information an organisation holds about them, correct inaccurate records, object to certain processing, request deletion in some cases, and challenge certain automated decisions.

For HR, legal, compliance and customer service teams, these rights are not just legal theory. They appear in everyday situations: an employee asks for their personnel file, a customer asks for their account data, a former worker wants old records deleted, or a parent asks how their child’s information is being used. If staff do not recognise these requests quickly, deadlines can be missed and complaints can escalate.

This guide explains the eight rights under UK General Data Protection Regulation (UK GDPR), how subject access requests work, and how UK businesses can train teams to respond correctly. If you need a wider foundation first, start with our GDPR explained guide, which explains the UK GDPR framework, principles, penalties and ICO expectations.

The 8 Data Subject Rights Under UK GDPR

UK GDPR gives individuals several rights over their personal data. These rights are designed to increase transparency, control and accountability in how organisations use personal information.

The eight main rights are:

• Right to be informed
  Individuals have the right to be told how their personal data is collected and used. This is usually done through privacy notices for customers, employees, applicants, website users or service users.
• Right of access
  Individuals can ask whether you process their personal data and request a copy of that data. This is commonly known as a subject access request (SAR).
• Right to rectification
  Individuals can ask you to correct inaccurate personal data or complete incomplete data.
• Right to erasure
  Individuals can ask for personal data to be deleted in certain circumstances. This is also known as the right to be forgotten.
• Right to restrict processing
  Individuals can ask you to limit how their data is used in certain situations.
• Right to data portability
  Individuals can ask to receive certain personal data in a structured, commonly used and machine-readable format, so they can reuse it or transfer it to another service.
• Right to object
  Individuals can object to certain types of processing, including direct marketing and processing based on legitimate interests or public task.
• Rights related to automated decision-making and profiling
  Individuals have rights where decisions are made solely by automated means and have legal or similarly significant effects.

These rights are not all absolute. In some cases, exemptions under the Data Protection Act 2018 may apply. For example, a business may need to withhold certain information if disclosure would affect another person’s rights, prejudice an investigation, or reveal legally privileged material. However, exemptions should be applied carefully and documented.

For a deeper understanding of the legal framework behind these rights, read our Data Protection Act 2018 explained guide.

Right of Access — Handling Subject Access Requests

The right to access UK personal data is one of the most commonly used data subject rights. It allows an individual to ask an organisation whether it processes their personal data and, if so, to receive a copy of that data along with supporting information.

For UK businesses, subject access requests can come from employees, former employees, customers, patients, service users, contractors, pupils, parents or members of the public. They do not need to use legal language. A request may simply say, “Please send me all the information you hold about me” or “I want a copy of my HR file.”

SARs UK GDPR obligations can create operational pressure because the response may require searches across HR systems, email accounts, customer records, shared drives, paper files and archived systems.

What Is a SAR?

A subject access request, or SAR, is a request from an individual for access to their personal data. It can be made verbally or in writing, including by email, letter, web form, social media message or customer service chat.

A SAR does not have to mention “UK GDPR” or “subject access request”. If the person is clearly asking for their own personal data, your organisation should treat it as a rights request.

A SAR response usually includes:

• confirmation of whether you process the person’s personal data;
• a copy of the personal data;
• the purposes of processing;
• categories of personal data;
• recipients or categories of recipients;
• retention information;
• information about individual rights;
• information about the right to complain to the ICO;
• details of the source of the data, where available;
• relevant information about automated decision-making, where applicable.

A practical HR example would be a former employee asking for “all emails and HR records about me”. The HR team may need to search personnel files, absence records, grievance records, performance records and relevant emails. However, they must also consider third-party data, confidentiality, legal privilege and any applicable exemptions.

A customer service example would be a customer asking for a copy of their account notes and call recordings. The business needs to identify systems where the customer’s data is held and provide the relevant personal data securely.

How Long Do You Have to Respond?

UK businesses must respond to a SAR without undue delay and within one month of receiving the request. If the request is complex, or the individual has made several requests, the organisation may extend the deadline by a further two months.

If you extend the deadline, you should tell the individual within the first month and explain why more time is needed. You should not use extensions as a routine delay tactic.

In most cases, you cannot charge a fee for a SAR. However, you may be able to charge a reasonable fee or refuse to comply if a request is manifestly unfounded or excessive. This should be assessed carefully and documented.

The ICO has taken enforcement action where organisations have failed to respond to SARs properly or within statutory timeframes. For example, the ICO has issued enforcement notices and reprimands in cases involving serious SAR delays and backlogs. This shows why organisations need a reliable process, not an ad hoc response.

A practical SAR process should include:

• recognising the request;
• logging the request date;
• verifying identity where necessary;
• clarifying scope if needed;
• identifying systems and records to search;
• reviewing third-party information;
• applying exemptions where justified;
• approving the response;
• sending the data securely;
• keeping an audit trail.

Because SARs can arrive through any customer-facing or employee-facing channel, staff awareness is essential. Our GDPR training for UK businesses helps teams recognise rights requests early and escalate them correctly.

Right to Rectification

The right to rectification allows individuals to ask organisations to correct inaccurate personal data. They may also ask for incomplete personal data to be completed, depending on the purpose of processing.

This right is especially important in HR, payroll, healthcare, education, finance and customer service. Inaccurate personal data can lead to wrong decisions, missed payments, poor service, reputational harm or unfair treatment.

A practical HR example is an employee discovering that their emergency contact details, job title or salary information is incorrect. The employer should check the request, correct the record where appropriate, and ensure the correction is reflected in relevant systems.

A customer service example is a customer asking for their address to be updated after a failed delivery. The business should correct the address promptly and check whether any related records also need updating.

Organisations may sometimes disagree that data is inaccurate. For example, a manager’s recorded opinion in an appraisal may be disputed by an employee. In that case, the organisation may not always have to delete or rewrite the opinion, but it should consider whether a supplementary statement or note of dispute should be added.

Common failures include:

• correcting one system but leaving duplicate records unchanged;
• ignoring requests because they seem informal;
• failing to tell relevant processors or departments about corrections;
• treating disputed opinions as simple factual errors;
• not keeping evidence of how the request was handled.

Accuracy is also one of the seven UK GDPR principles. For more on the principles behind individual rights, read our guide to data protection principles explained.

Right to Erasure (Right to Be Forgotten)

The right to erasure UK individuals can use is often called the right to be forgotten GDPR right. It allows individuals to ask an organisation to delete personal data in certain circumstances.

However, this right is not absolute. A business does not always have to delete all personal data simply because someone asks.

The right to erasure may apply where:

• the data is no longer needed for the original purpose;
• the individual withdraws consent and there is no other lawful basis;
• the individual objects to processing and there is no overriding reason to continue;
• the data was processed unlawfully;
• deletion is needed to comply with a legal obligation;
• the data was collected from a child in relation to online services.

There are also situations where a business may need to keep data. For example, an employer may need to retain payroll records for legal or tax reasons, even if a former employee asks for all records to be deleted. A healthcare provider may need to keep patient records in line with professional and legal retention requirements. A business may need to retain complaint records to establish, exercise or defend legal claims.

A practical example is a former customer asking an ecommerce business to delete their account. The business may be able to delete marketing preferences and inactive profile data, but may need to retain transaction records for accounting, fraud prevention or legal purposes.

Another example is a former employee asking HR to delete all disciplinary records. The employer should assess whether the records are still necessary, whether the retention period has expired, and whether legal or employment reasons justify continued retention.

Good practice is to explain clearly what has been deleted, what has been retained, and why. This helps avoid the impression that the request has been ignored.

Right to Restrict Processing

The right to restrict processing allows an individual to ask an organisation to limit how their personal data is used. This is different from deletion. The data may still be stored, but the organisation should not use it for certain purposes while the restriction applies.

This right may apply where:

• the individual disputes the accuracy of the data;
• the processing is unlawful but the individual does not want deletion;
• the organisation no longer needs the data, but the individual needs it for legal claims;
• the individual has objected to processing and the organisation is considering whether its reasons override the objection.

A practical HR example is an employee disputing the accuracy of an investigation note. While the issue is being checked, the organisation may need to restrict use of that note in further decision-making.

A customer example is a person objecting to the way their data is being used for profiling. The business may need to pause that processing while it assesses the objection.

Common failures include continuing to use data as normal after restriction is requested, failing to mark restricted records clearly, or not communicating the restriction to relevant teams and processors.

Right to Data Portability

The right to data portability allows individuals to obtain and reuse certain personal data for their own purposes across different services. It is designed to make it easier for people to move, copy or transfer their data.

However, the scope is limited. The right to data portability applies only when:

• the lawful basis is consent or contract;
• the processing is carried out by automated means; and
• the data was provided by the individual.

It does not generally apply to paper records, data processed under legal obligation, or data created by the organisation through analysis or inference.

A practical example is a customer asking a digital service provider to provide account information they supplied when signing up. The business may need to provide the data in a structured, commonly used and machine-readable format, such as CSV or JSON, depending on the context.

In HR, data portability may be less common than SARs, but it can still arise where employee-facing platforms process data based on contract or consent. Teams should not assume portability applies to every HR record.

Data portability should not adversely affect the rights and freedoms of others. If a file includes personal data about another person, the organisation may need to review and separate information before disclosure.

Right to Object

The right to object allows individuals to object to certain processing of their personal data. It is particularly important where processing is based on legitimate interests, public task, direct marketing, research or statistical purposes.

For direct marketing, the right to object is strong. If someone objects to direct marketing, the organisation must stop using their personal data for that purpose. This includes related profiling for direct marketing.

A practical example is a customer clicking “unsubscribe” or emailing to say they no longer want promotional messages. The business should suppress the person from marketing rather than simply deleting them from the list if deletion could lead to them being added again later.

For processing based on legitimate interests, the organisation must consider the individual’s objection and decide whether it has compelling legitimate grounds to continue. This is not automatic. The organisation should document its assessment.

An HR example could involve an employee objecting to certain monitoring based on legitimate interests. The employer should consider the objection, review the purpose and proportionality of the monitoring, and explain the outcome.

Rights Related to Automated Decision-Making

UK GDPR includes rights related to automated decision-making and profiling. These rights are relevant where decisions are made solely by automated means and have legal or similarly significant effects on individuals.

A decision is solely automated where there is no meaningful human involvement. Examples may include automated rejection of a job application, automated credit decisions, automated service eligibility decisions, or automated decisions affecting access to essential services.

Profiling means using personal data to evaluate or predict aspects of a person, such as performance at work, economic situation, health, preferences, interests, behaviour or location.

Organisations using automated decision-making should be clear about:

• what decisions are automated;
• what data is used;
• whether the decision has legal or similarly significant effects;
• whether meaningful human review is available;
• how individuals can challenge decisions;
• whether a data protection impact assessment is needed.

In recruitment, for example, an employer using automated screening tools should understand whether the tool simply supports human review or makes decisions without meaningful human involvement. The difference matters.

For organisations with a Data Protection Officer or compliance lead, automated decision-making should be reviewed as part of wider governance. For foundational reading on the role, see our guide to what does a DPO do. For schools and education providers handling pupil or parent rights requests, our school data protection guide provides sector context.

Training Your Team to Respond to Rights Requests

Data subject rights are only effective if organisations recognise and manage requests properly. A written policy is useful, but it is not enough if frontline staff do not know what a rights request looks like.

Customer service teams, HR staff, reception teams, managers and administrators may all receive rights requests. These requests may be informal and may not mention UK GDPR. For example:

• “Can you send me everything you hold about me?”
• “Delete my account and all my details.”
• “Your record of my sickness absence is wrong.”
• “Stop using my data for marketing.”
• “I want a copy of the call recording.”
• “I don’t want an algorithm deciding my application.”

Training helps staff recognise these as potential rights requests and escalate them quickly. This is especially important because deadlines usually start when the request is received, not when it reaches the compliance team.

Effective training should cover:

• the eight individual rights;
• how to recognise a SAR;
• identity verification basics;
• escalation routes;
• deadlines and extensions;
• secure disclosure;
• third-party information;
• erasure limitations;
• direct marketing objections;
• automated decision-making risks;
• when to involve the DPO or legal team.

Organisations should also provide templates, checklists and clear ownership. A rights request log can help track deadlines, decisions, exemptions, responses and lessons learned.

For teams building stronger processes, data protection training supports wider UK GDPR compliance, while a DPO training course can help those responsible for oversight, governance and complex rights requests.

FAQs

How long does a UK business have to respond to a SAR?

A UK business must respond to a subject access request without undue delay and within one month of receiving it. This can be extended by a further two months if the request is complex or the individual has made several requests.

Can I charge a fee for a subject access request?

In most cases, you cannot charge a fee for a subject access request. You may be able to charge a reasonable fee or refuse to comply if the request is manifestly unfounded or excessive, but this should be assessed carefully and documented.

Do I have to delete all personal data when someone requests erasure?

No, the right to erasure is not absolute. You may need to keep some personal data for legal obligations, employment records, tax purposes, regulatory requirements, complaints, safeguarding or legal claims.

What is the right to data portability?

The right to data portability allows individuals to receive certain personal data in a structured, commonly used and machine-readable format. It applies only in specific circumstances, mainly where processing is based on consent or contract and carried out by automated means.

Can I refuse a subject access request?

You can refuse a subject access request only in limited circumstances, such as where it is manifestly unfounded or excessive, or where a specific exemption applies. If you refuse, you should explain your decision and tell the individual about their right to complain to the ICO.

Equip your compliance team — explore our GDPR training courses for UK businesses and help your staff recognise, escalate and manage data subject rights requests with confidence.