One of the core principles of UK GDPR is that individuals — referred to as data subjects — have meaningful rights over their personal data. These are legal obligations requiring businesses to have processes in place to respond to requests within defined timeframes. Understanding what these rights are and how to honour them is a practical compliance requirement for any business processing personal data.
UK GDPR grants individuals several rights: access to data held about them, correction of inaccurate data, deletion in certain circumstances, restriction or objection to certain types of processing, and the right to receive data in a portable format. Businesses must respond to valid requests within a defined period without charging a fee in most cases. Refusing a valid request without lawful grounds is a breach of UK GDPR.
The most commonly exercised right is the right of access — often called a subject access request or SAR. Having a process for receiving, verifying, and responding to SARs before they arise avoids delays and compliance risk. Our guide to data subject rights under UK GDPR explains each right in plain terms and what businesses need to do to respond correctly.