A guide to your GDPR data rights

The EU’s General Data Protection Regulation (GDPR) underpins the UK’s data protection regime. Under the GDPR, any organisation that handles personal information must use robust measures to keep this data safe. The more you know about the GDPR, the easier it is to hold organisations to account when they fail to protect your data rights.

What is GDPR?

The GDPR is an EU law on data protection and privacy. It establishes how your personal information can be used by organisations, businesses and the government.

Despite Brexit, all UK organisations must comply with the GDPR as the UK chose to implement its version of the law after the transition period ended (UK GDPR). In the UK, the Data Protection Act (DPA) 2018 is the UK’s interpretation of the GDPR. 

What are your GDPR rights?

In the UK, GDPR gives individuals the following rights:

Your GDPR rights

The right to be informed

Under GDPR, people have a right to be notified if their personal data is being used or stored. This includes why an organisation uses your data, how it is using it, what type/types of data it is using, how long the data will be kept, if it shares this data with any third parties, and more. A failure to provide this information could be a data protection breach.

What is personal data?

Personal data includes can be used to identify a specific individual – either on its own or along with other information. This could be a name, email address, financial information or even an IP address.

The right of access

You have the legal right to access any personal data an organisation holds on you. To exercise this right, you should ask for a copy of this data.

The right to rectification

You can challenge the accuracy of any personal data that an organisation holds about you and ask for it to be corrected or added to. Organisations do not always have to agree to such requests (for example, a doctor does not have to change an individuals’ medical history if they believe a request is erroneous). But they must provide a legitimate reason if they do not so (and tell the data subject what that reason is).

The right to erasure

GDPR gives you the right to have your personal data erased. This is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances.

The right to restrict processing

You can restrict the way an organisation uses your personal data. This means you can limit the way that an organisation uses your data. This is an alternative to requesting the complete erasure of your data.

The right to data portability

You have the right to get a copy of your personal data from an organisation. You might want this data to pass to another organisation, so it must be provided in a transferable way if possible.  

The right to object

In some circumstances, you can object to an organisation using your data at all. For example, you have the right to stop an organisation from using your data for email marketing.

Rights in relation to automatic decision making and profiling

Under GDPR, the processing of biometric data (such as images of a person’s face) and the use of automated decision-making, including profiling, are only allowed in very explicit circumstances. If an organisation uses technology that discriminates against individuals and automatically makes decisions that harm them, such technology would not be GDPR compliant.

Making a data subject access request

To access many of your GDPR data rights, you need to make a data subject access request (DSAR/SAR). You do not have to pay to make a DSAR. However, if you ask for extra copies, or if you ask for something that is ‘manifestly unfounded or excessive’, the organisation might charge a reasonable fee for administrative costs.

Data protection law requires organisations to respond to a request for data within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this. The organisation must let you know within one month if it needs more time and why. If the requested information is not provided in the timeframe, you can raise a complaint with the ICO. A refusal to answer respond to such a request within the legal timeframe could be a GDPR breach.

You can make a subject access request at any time. For example, many of our clients at KP Law make DSARs to start the compensation claim process following a data breach. If you decide that you want to make a SAR, there are some steps you should take…

Find out where to send your SAR

This should be listed on the organisation’s website (check the privacy policy usually found in the footer). If you can’t find this information, let the company know. If they don’t make it available, you can complain to the ICO.

Decide what data you want

Do you need everything an organisation has about you or just a specific piece of information? If you only need certain data and you want this quickly, it makes sense to be explicit. For example, you could ask if your data was exposed in a specific data breach.

Make your request

You can make a SAR in writing, in person, or over the phone. However, we recommend that you put your request in writing. This provides a clear evidence trail if we need this at a later date.

Provide any information that will help them to fulfil your request

When making a SAR, you should also include your name and contact details as well as any account or reference numbers.

Specify what format you want the information in

Most organisations will provide what you need electronically, but if you want it in another format, you can ask if this is possible. An organisation only has to agree to this if it is reasonable to do so.

Keep a copy of your request as well as any proof of postage or delivery

This will help if there are any delays or if they try to fob you off.

An organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’. But, if you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the ICO.

GDPR protects you from more than just data breaches

When it comes to GDPR failures and abuses, most people think about data breaches.

A data breach refers to any situation where data has been put at risk. For example, when criminals break into an organisation’s systems to steal information, or more commonly, because of simple human error and poor data protection processes.

But GDPR violations are not just about data breaches. A GDPR failure can happen when companies fail to uphold any of your individual data rights.

At KP Law, our data protection team is committed to making sure that people across England & Wales understand their data protection rights. And, if your rights have been violated by an organisation breaching any part of the GDPR/Data Protection Act, we may be able to help you to claim compensation. For example, in addition to our various data breach group actions, we support clients who have experienced GDPR violations because of facial recognition software and algorithmic and automated decision-making processes.

Why choose KP Law as your data protection lawyers?

When it comes to legal support, big organisations have deep pockets. And they are smarter and better resourced than ever before. So, it can be difficult for some law firms to stand up to such strength if they do not have data breach expertise or the resources to take the big players on.

At KP Law, we do not just even the score – we take the fight to them.

Our data breach team has the legal expertise and resources necessary to take on the corporate giants. What is more, the strength and means of our firm ensure that we never have to back down from a challenge. And with access to whatever resource we need – be that time to go the long-haul or the expertise to delve deep into the evidence – we have everything it takes to win.