What Are the 8 Rights of Data Subjects?

The UK GDPR empowers data subjects to take control of how organisations process their personal data. Discover what rights data subjects have and how you can comply with them.


Person typing on laptop

For many organisations, not understanding the basics of data protection is why GDPR breaches or non-compliance fines happen. 

At its simplest, the UK GDPR protects individuals’ data. Personal data, or special category data, is personal for a reason. When organisations mishandle this, they risk their reputation and the rights of these individuals. 

Our mission is to make data protection easy, so in this blog, we’re going back to the basics. Keep reading to discover the 8 rights of data subjects and how to maintain GDPR compliance. 

What Is a Data Subject?

A data subject is a person who can be identified directly or indirectly by their personal data. This includes their name, ID number, location data or information about the persona’s physical, psychological, genetic, mental, economic, cultural or social identity. 

In other words, a data subject is the individual an organisation collects from. Other parties include data controllers and processors, who must comply with data protection laws

What Are the Eight Rights of Data Subjects? 

The UK GDPR empowers data subjects to hold organisations accountable for the data they handle. Under this legislation, the individual has 8 rights all businesses must be aware of.

1. Right to Be Informed

The right to be informed includes providing data subjects with information about what data you’re collecting, for how long and what you intend to do with it. 

As an organisation, you must offer this information clearly to build trust with the individual. The Information Commissioner’s Office (ICO) label this data as ‘privacy information’, which includes:

  • Data controller’s identity and contact details;
  • Data Protection Officer’s (DPO) contact details (where appropriate);
  • The purposes of processing; 
  • The legal basis for processing;
  • The categories of personal data collected;
  • The details of data transfers to third parties or international organisations;
  • Data retention period; 
  • Rights granted under the UK GDPR;
  • The right to complain;
  • Whether the collection of data is a statuary or contractual requirement; and,
  • If automated decision-making is involved. 

Article 13

2. Right of Access

The right of access allows individuals to receive copies of their personal data. This is commonly known as subject access requests (SARs). 

A data subject can submit a SAR verbally or in writing, including on social media. You only have one month to respond to a data subject access request (DSAR), so the clock starts ticking the moment your DPO receives it. 

We have a complete guide on handling SARs, but if you want to get this request sorted quickly and compliantly, our team offer exceptional SAR support services.  

Did you know changes around refusing DSARs are incoming? Head to our recent blog on the Data Protection and Digital Information (DPDI) Bill to find out where your organisation stands. 

3. Right to Rectification

Individuals have the right to ask organisations to update any inaccurate or incomplete data they have on them. 

If the request is valid, you have one month to make these changes. While rectifying data for one individual may appear easy, it raises concern about whether accuracy is maintained across your database. 

Due diligence is crucial upon review, so now would be a good time to conduct a broader GDPR audit

4. Right to Erasure

The right to erasure, or right to be forgotten, allows individuals to have their personal data deleted under certain circumstances. These include:

  • The personal data is no longer necessary;
  • The individual withdraws content;
  • The individual objects to data processing, and there are no legitimate grounds to continue this processing; 
  • Unlawful processing of personal data;
  • Erasure has to be done in accordance with a legal obligation;
  • Personal data has been processed to provide information society services.

Article 17

Want to know the solutions for data erasure? Read our blog on individual rights to learn more.

5. Right to Restrict Processing

Organisations can be limited in how they process an individual’s data. This right doesn’t mean a data controller has to erase personal data

Instead, you are restricted from processing data but can continue storing it. You have one month to action this if these situations apply: 

  • Data is inaccurate (Similar approach to the ‘right to rectification);
  • Data has been unlawfully processed;
  • The individual wants you to keep their data to be stored for a legal claim (even if you no longer need it); and, 
  • The individual has already submitted a data erasure request, and you are working on it. 

6. Right to Data Portability

Data subjects can obtain and reuse their personal data for whatever purpose. As such, data controllers must provide their data in a structured, usable, machine-readable format. 

Examples include CSV, XML and JSON files. 

7. Right to Object to Processing

This is as simple as it can get – an individual can object to data processing under certain circumstances. An organisation has one month to respond. 

Individuals can also object to data being used for direct marketing. This right to data privacy is under recent discussion, with social media giants relying on a ‘pay or ok’ model to support their processing activities

8. Rights to Automated Decision Making and Profiling 

The UK GDPR gives individuals the right to object to data processing if it is automated (E.g., without human interaction). 

This also includes whether profiling data is taken, such as mental health or work performance, and if it significantly impacts the individual.  

What Happens If You Violate Data Subject’s Right? 

If you violate any of these rights, you could face:

  • Financial damage – You could face fines from the ICO of up to £17.5 million or 4% of your annual turnover (whichever is higher).
  • Loss of trust – Poor handling of your customers’ rights will impact their trust in you and raise doubts about your company’s competence. 
  • Legal complications – By violating data subject rights, you’re not complying with the UK GDPR. Not only will this risk fines, but you will likely undergo legal complications that will damage your reputation.

Expert Information Request & SAR Support

Our data protection consultancy will help you maintain GDPR compliance and efficiently handle information rights requests

We have a proven track record of managing SARs, GDPR audits and other services to keep risk low. Contact our team to learn more today