Your Rights as a Data Subject
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have extensive rights over your personal data. These rights apply to any organisation that collects, stores, or uses information that identifies you — from your employer and bank to social media platforms and government departments.
Last updated: 2026-03-08
Your Rights
Right to Be Informed
Organisations must tell you what personal data they collect about you, why they collect it, how they use it, who they share it with, how long they keep it, and what your rights are. This is usually provided in a privacy notice.
Right of Access
You have the right to obtain a copy of all personal data an organisation holds about you (a Subject Access Request). The organisation must respond within one month, free of charge.
Right to Rectification
If your personal data is inaccurate or incomplete, you have the right to have it corrected. The organisation must respond within one month.
Right to Erasure
You can ask an organisation to delete your personal data in certain circumstances — for example, if it is no longer necessary, you withdraw consent, or it was unlawfully processed. Also known as the 'right to be forgotten'.
Right to Object
You have the right to object to processing based on legitimate interests or public task. If you object, the organisation must stop processing unless it can demonstrate compelling legitimate grounds.
Right to Compensation
If an organisation breaches data protection law and you suffer material damage (financial loss) or non-material damage (distress), you have the right to claim compensation through the courts.
Common Myths
Organisations can do whatever they want with your data if you agreed to their terms and conditions
Consent is only one of six lawful bases for processing. Even where consent is the basis, it must be freely given, specific, informed, and unambiguous. You can withdraw it at any time.
You can always get your data deleted
The right to erasure is not absolute. Organisations can refuse if the data is needed for legal compliance, legal claims, public interest, or freedom of expression.
Data protection only applies to digital data
UK GDPR applies to personal data in any form — digital files, paper records, CCTV footage, audio recordings, and more.
What To Do
Check the privacy notice
Read the organisation's privacy policy to understand what data they collect and how they use it.
Make a Subject Access Request
Write to the organisation requesting a copy of all personal data they hold about you. They must respond within one month.
Ask for correction or deletion
If data is inaccurate or you want it deleted, write to the organisation citing the specific right under UK GDPR.
Complain to the ICO
If the organisation does not comply, complain to the Information Commissioner's Office (ICO). The ICO can investigate and take enforcement action.
Key Legislation
- UK General Data Protection Regulation
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations 2003
- Freedom of Information Act 2000