GDPR Individual Rights: What UK Businesses Must Know

Alex Solo
byAlex Solo12 min read
Data & PrivacyRegulatory Compliance
Contents

Many UK businesses know they need a privacy policy, but far fewer are ready when a real person actually uses their rights under data protection law. That is where problems usually start. A customer asks for a copy of their data, an ex-employee wants records erased, or a marketing contact objects to direct marketing, and the business either ignores the request, asks for too much ID, or misses the deadline.

Those mistakes can create complaints, regulatory attention, and unnecessary friction with customers and staff. The issue is not just legal wording. It is whether your business can recognise a request, respond properly, and keep sensible records of what happened.

This guide explains what individual rights under UK GDPR mean in practice, when these rights tend to come up for startups and SMEs, the main rules around timing and scope, and the common operational mistakes that catch founders before they sign contracts, launch online, or spend money on systems that are harder to fix later.

Overview

UK GDPR gives people a set of rights over how organisations collect, use, store and share their personal data. If your business handles customer, employee, contractor, website user or marketing data, you need a workable process for dealing with these rights, not just a privacy notice that mentions them.

The main legal question is usually not whether the rights exist, but how your business should respond in a specific situation and within the required time.

  • Know which rights apply, including access, rectification, erasure, restriction, objection and data portability
  • Train staff to spot a rights request, even if the person does not use legal language
  • Verify identity sensibly, without creating unnecessary barriers
  • Track the one month response deadline and any lawful extension
  • Check whether an exemption or limitation applies before refusing a request
  • Make sure your privacy notice, data processing contracts and internal processes line up
  • Keep records of the request, your decision, and what action you took

What Individual Rights GDPR Means For UK Businesses

Individual rights GDPR means your business must give people meaningful control over their personal data, and you need systems that can respond when those rights are used.

Under UK GDPR and the Data Protection Act 2018, individuals have several rights that businesses commonly deal with. These rights apply to personal data, which means information relating to an identified or identifiable person. For many SMEs, that includes names, email addresses, phone numbers, order history, HR records, CVs, IP logs, recorded calls and account notes.

The main rights your business should know

The rights most likely to affect startups and SMEs include the following.

  • The right to be informed, which means people should receive clear information about how you use their data, usually through a privacy notice
  • The right of access, often called a subject access request, which allows a person to ask for a copy of their personal data and related information
  • The right to rectification, which allows a person to ask you to correct inaccurate or incomplete personal data
  • The right to erasure, sometimes called the right to be forgotten, which applies in certain circumstances but is not absolute
  • The right to restrict processing, which can require you to pause certain uses of personal data while an issue is checked
  • The right to data portability, which applies in narrower cases where processing is based on consent or contract and carried out by automated means
  • The right to object, which is especially relevant for direct marketing and some processing based on legitimate interests
  • Rights relating to automated decision-making and profiling, where a decision is made solely by automated means and has legal or similarly significant effects

These rights are not all the same

Founders often assume every request means they must delete everything immediately. That is not correct. Each right has its own test, scope and limits.

For example, a request to erase data may be refused if you still need the information for a legal obligation, the establishment or defence of legal claims, or another valid basis recognised by law. A request for access usually requires disclosure of the individual’s personal data, but not necessarily every internal document in full if exemptions apply or third party data needs protecting.

Who needs to comply

If your business decides why and how personal data is used, you are usually acting as a controller for that data. Controllers carry the main responsibility for handling rights requests. If you process personal data on behalf of another business, such as through software, outsourced admin or payroll support, your contract should explain how you assist the controller with these requests.

This is where SMEs often get caught. A business may use a booking platform, CRM, email platform, HR system and cloud storage provider, but no one has checked who can pull data quickly, who controls deletions, and what the processor contract says. That becomes a problem when a request lands.

Timing matters

Most rights requests must be responded to without undue delay and within one month. In some cases, that period can be extended by up to two further months if the request is complex or there are multiple requests, but the individual must be told within the first month and given reasons.

You can ask for clarification if the request is genuinely broad or unclear, but that is not a tactic for delaying a response. You can also ask for ID where reasonable, but only if you need it to confirm the person’s identity.

Fees and refusals are limited

Businesses generally cannot charge a fee for handling an individual rights request. A fee may be allowed in limited cases, such as manifestly unfounded or excessive requests, particularly repetitive ones, but that threshold should be approached carefully.

Refusing a request also requires a lawful basis. If you refuse, you should explain why, tell the person about their right to complain to the Information Commissioner’s Office, and record your decision internally.

When This Issue Comes Up

Individual rights requests usually arrive at ordinary business moments, not during a formal legal process. The businesses that handle them well are the ones that planned for them before the request became urgent.

Customer data and online sales

If you sell online, run a subscription service, collect leads through your website, or use analytics and marketing tools, customers may ask what data you hold, ask you to correct details, or object to marketing. This often happens after a complaint, cancellation, refund dispute or change in trust.

For example, a customer may unsubscribe from marketing and then ask why they still received emails. That is not just a campaign issue. It may trigger an objection to direct marketing, questions about consent records, and a need to check how suppression lists are managed across systems.

Recruitment and HR

Job applicants, employees and former staff regularly use data rights. An unsuccessful candidate may ask for interview notes. A former employee may seek emails, performance records or grievance documents. A current employee may ask for inaccurate HR records to be corrected.

Before you sign employment contracts or roll out a new HR platform, it helps to know what records you will keep, for how long, who can access them, and how you will search them if a request comes in.

Founders raising investment or signing commercial deals

Due diligence often exposes privacy gaps. Investors, enterprise customers and commercial partners may ask how you handle subject access requests, deletion requests, retention periods and processor arrangements. If your answer is that the team handles requests ad hoc from a shared inbox, that can raise concerns.

This issue also comes up before you sign customer contracts with data protection clauses. Some clients will expect service levels, cooperation obligations and clear responsibility where an end user exercises their rights.

Using software, AI tools and outsourced providers

Rights requests become harder where personal data is scattered across multiple tools. Many SMEs use helpdesk software, accounting apps, document signing systems, chat tools, website plugins and AI features that all hold fragments of personal data.

Before you spend money on setup, check whether your providers allow data export, correction, suppression and deletion in a practical way. The legal right may sit with the individual, but the operational burden lands on your business.

Complaints and relationship breakdowns

A rights request is sometimes really a complaint wearing a privacy label. A dissatisfied customer, ex-contractor or former business contact may use a subject access request as part of a wider dispute.

That does not mean you can dismiss it. It does mean your response should be measured, documented and legally consistent, especially where there are overlapping issues such as confidentiality, legal privilege, employment records or ongoing disputes.

Practical Steps And Common Mistakes

The best way to handle individual rights GDPR is to build a simple process before the first difficult request arrives. Most SMEs do not need a huge compliance programme, but they do need clear ownership, records and realistic workflows.

Set up a request handling process

Someone in the business should own the process. Staff should know where to send requests and what to do if one arrives through a sales inbox, social media message or support ticket.

Your process should cover the following points.

  • How requests are identified, even when the individual does not mention GDPR
  • Who logs the request and records the date received
  • How identity is verified where necessary
  • Which systems need to be searched
  • Who decides whether an exemption applies
  • How the response is approved and sent
  • How deadlines are monitored
  • What records are kept about the outcome

Make your privacy notice match reality

Your privacy notice should explain the rights available to individuals and how they can exercise them. It should also accurately describe what data you collect, why you use it, your lawful bases, retention periods and who you share data with.

A common mistake is copying a generic privacy notice that promises things the business cannot actually do, or fails to mention major data uses such as analytics, recruitment software or customer profiling.

Know your lawful bases and retention periods

You cannot assess many rights requests properly unless you know why you process the data in the first place. If you rely on contract, consent, legitimate interests, legal obligation or another lawful basis, that affects how you answer requests about deletion, portability and objection.

Retention also matters. Businesses often keep data indefinitely because storage is cheap, but that makes rights requests harder and riskier. A sensible data retention schedule can reduce the amount of personal data you need to search, disclose or justify keeping.

Do not confuse deletion with suppression

One of the most common mistakes in marketing databases is deleting the wrong thing. If someone objects to direct marketing, you may need to keep limited suppression information so you do not contact them again. Simply wiping the record may create a new compliance problem if the person is later re-added from another source.

The right answer depends on the context and the purpose for which the data is being kept. This is why your internal notes and marketing procedures need to line up.

Handle subject access requests carefully

A subject access request often creates the most work. The business may need to search emails, HR files, CRM notes, support tickets, recorded calls and internal messaging channels.

When dealing with access requests, check the following.

  • Whether the request is clear enough or needs clarification
  • Whether you hold personal data about the individual in multiple systems
  • Whether any material includes personal data of other people
  • Whether any exemptions may apply, such as legal privilege or management information in limited cases
  • How to present the data in a concise, intelligible and secure format

A rushed dump of documents is not always a compliant response. The information must still be understandable, and you should take care not to disclose other people’s data unfairly.

Train your team on real-world triggers

Many requests are missed because staff expect a formal template. In reality, a person might say, “Please send me everything you hold on me”, “My details are wrong, fix them”, or “Stop using my data for marketing”. Those can all trigger legal obligations.

Give staff practical examples. Customer support, HR, sales and operations teams are often the first to see these requests.

Check your supplier and customer contracts

Contracts matter because rights requests often involve third party systems or shared responsibilities. Your processor agreements should require providers to assist with rights requests where relevant. Customer contracts may need to allocate responsibility if you process personal data on someone else’s behalf.

Before you sign a software contract or service agreement, check points such as:

  • Whether the provider will assist with access, deletion and correction requests
  • How quickly support is available if data needs to be extracted
  • Whether deletion is permanent, partial, or delayed through backups
  • Where data is stored and whether sub-processors are involved
  • What happens to data at the end of the contract

Do not over-collect identity documents

It is reasonable to verify identity where needed, especially for sensitive requests. But asking every requester for a passport or utility bill as a default can be excessive, particularly if you already know who they are through an authenticated account or existing communications.

Use a proportionate approach. Ask only for what is needed to confirm identity in the circumstances.

Keep an audit trail

If a complaint reaches the ICO, your records matter. Keep a log of the request, what checks you made, the systems searched, any exemptions relied on, correspondence with the individual, and the final response date.

This does not need to be complicated. Even a clear internal register can make a major difference.

Common mistakes UK businesses make

  • Treating a rights request as a customer service issue only, without legal review where needed
  • Missing the one month deadline because no one owns the process
  • Promising immediate deletion without checking legal retention duties or dispute risks
  • Ignoring data held by third party platforms, archived systems or personal inboxes
  • Using privacy notices and contracts that do not match actual business practices
  • Failing to distinguish between controller and processor responsibilities
  • Refusing requests too quickly on the basis that they are inconvenient

FAQs

Do small businesses have to comply with individual rights under UK GDPR?

Yes. There is no general small business exemption from UK GDPR individual rights. The size of your business may affect what is proportionate in practice, but the rights still apply if you process personal data.

How long does a business have to respond to a GDPR rights request?

Usually one month from receipt, without undue delay. In more complex cases, the period can sometimes be extended by up to two further months, but the individual should be told within the first month.

Can a business refuse to delete personal data?

Yes, in some situations. The right to erasure is not absolute. A business may be able to keep data where it is needed for a legal obligation, legal claims, freedom of expression, public interest reasons, or other recognised grounds, depending on the context.

Does a person need to say “subject access request” for the law to apply?

No. A request can be valid without any legal wording. If someone asks for a copy of their personal data or asks you to stop certain uses of it, that may still trigger UK GDPR obligations.

Can we charge a fee for dealing with these requests?

Usually no. Fees are only allowed in limited cases, such as where a request is manifestly unfounded or excessive. Businesses should be cautious before relying on that exception.

Key Takeaways

  • Individual rights GDPR requires UK businesses to respond properly when people ask about, access, correct, erase, restrict, object to, or transfer their personal data
  • Most requests must be handled within one month, and informal wording can still count as a valid request
  • Different rights have different limits, so deletion and access requests should not be answered with a one-size-fits-all approach
  • Your privacy notice, retention approach, internal process and contracts with suppliers should all support your response process
  • Common risks include missed deadlines, poor record-keeping, over-collection of ID, and failing to check data held across multiple systems
  • Early planning helps founders avoid expensive fixes later, especially before signing major contracts, launching online, or scaling customer and HR systems

If your business is dealing with individual rights GDPR and wants help with privacy notices, data processing contracts, subject access request handling, and retention policies, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.

Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

How to Hire a Security Contractor in the UK

How to Hire a Security Contractor in the UK

Hiring a security contractor in the UK involves more than comparing quotes. You need to check licensing, contractor status, service scope, insurance

9 May 2026
Read more
How to Handle a Data Protection Request in the UK

How to Handle a Data Protection Request in the UK

A dpa request can create real pressure for UK businesses, especially if customer data, HR records and marketing systems are spread across different tools

9 May 2026
Read more
Website Terms and Privacy for UK Accounting Firms

Website Terms and Privacy for UK Accounting Firms

UK accounting firm websites need more than a generic privacy policy. This guide explains website terms, privacy notices, cookies, data handling and common

6 May 2026
Read more
Collecting Client Information: Privacy Issues for UK Accounting Firms

Collecting Client Information: Privacy Issues for UK Accounting Firms

UK accounting firms often need detailed client data, but poor onboarding forms, vague privacy wording, and weak internal controls can create legal risk

6 May 2026
Read more
Website Terms and Privacy for UK Personal Training Businesses

Website Terms and Privacy for UK Personal Training Businesses

UK personal training websites often need more than a simple privacy policy. If your site takes bookings, collects health information or sells coaching

4 May 2026
Read more
How Do I Protect My Business Information From Being Stolen? (2026 Updated)

How Do I Protect My Business Information From Being Stolen? (2026 Updated)

If you're building a business, your information is often worth more than your physical assets. Your customer list, pricing model, supplier terms, marketing strategy, product roadmap, internal processes, and software code can...

1 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call