Right to Rectification Under UK GDPR

If you collect or use personal data in your business (and most of us do), you need to understand the right to rectification. Under UK data protection law, individuals can ask you to correct inaccurate personal data or complete incomplete data. Handling these requests properly isn’t just good customer service - it’s a legal obligation that can save you from complaints, audits and fines.

In this guide, we explain what the right to rectification is, when it applies, and the step-by-step process your business should follow. We’ll also cover response deadlines, when you can refuse a request, and the policies and contracts you should have in place to stay compliant from day one.

What Is The Right To Rectification Under UK GDPR?

The right to rectification is set out in the UK GDPR and the Data Protection Act 2018. In short, individuals can require you to correct personal data that is inaccurate, or to complete data that is incomplete (for example, by adding a missing middle name or updating an outdated job title).

“Personal data” means any information that identifies (or could identify) a living person - names, email addresses, employee files, customer profiles, website analytics tied to a user ID, and so on. If you control that data (as a “controller”), you’re responsible for keeping it accurate and up-to-date, taking into account the purposes for which you process it.

Why it matters to small businesses:

• It reduces operational risk - inaccurate records can trigger delivery errors, invoice disputes or payroll mistakes.
• It’s a legal duty - failing to act could lead to ICO complaints and reputational damage.
• It builds trust - being responsive and transparent reassures customers, employees and suppliers that you respect their rights.

Rectification interacts with other rights, too. For example, if someone submits a broader data rights request, you may see requests for access, deletion and rectification together. Having a clear process to handle subject access requests will make managing rectification requests much easier in practice.

When Does The Right To Rectification Apply?

In most everyday scenarios, if data is inaccurate or incomplete, individuals can ask you to correct it. Typical triggers for small businesses include:

• Customers change their address, email or phone number.
• Employees update their legal name, bank details or emergency contacts.
• Prospective hires spot errors in recruitment records.
• Suppliers ask you to update contact records for their account managers.

As a controller, you must take “reasonable steps” to verify and correct the data. What counts as reasonable depends on context - the nature of the data, the risk of harm if it’s wrong, and how frequently you use it.

Important nuances to keep in mind:

• Opinions vs facts: An opinion can’t be “incorrect” just because the data subject disagrees with it. However, if an opinion is based on wrong facts or presented as a fact (“John was absent on 5 June” when he wasn’t), rectification can still apply. In many cases, you can add a note explaining the individual’s view alongside the opinion.
• Data you received from third parties: You still need to take steps to verify and correct, and where appropriate notify those third parties to update their copies.
• Archived and backup data: If you keep backups for disaster recovery, you don’t need to edit those copies immediately. But you must ensure that if the backup is restored, the corrected data is applied.
• Marketing databases: If list hygiene is poor, bounce rates and spam complaints rise. Rectification requests are a cue to tidy your records and remove or correct stale entries.

Finally, the right to rectification sits alongside your duty to process data lawfully, fairly and transparently. Clear, up-to-date information in your Privacy Policy about how individuals can request corrections is a simple way to meet those transparency obligations.

How To Handle A Rectification Request: Step-By-Step For SMEs

You don’t need a big legal team to get this right. A clear, repeatable process will help you comply consistently and reduce disruption.

1) Acknowledge And Log The Request

Rectification requests can arrive by email, webform, phone or even via social channels. You don’t have to insist on a formal template, but you should confirm receipt and log the request in your data rights register.

• Record the date received (this starts the clock on your response deadline).
• Capture the requester’s identity and contact details.
• Note the data they want corrected and why they believe it’s inaccurate or incomplete.

2) Verify Identity (Proportionately)

You should be satisfied that the requester is who they say they are - especially before changing sensitive or high-risk data (for example, bank details). Keep identity checks proportionate. Request only what you need, and avoid collecting excessive documentation.

Tip: Build identity checks into your customer or employee service workflows to save time and maintain a consistent approach.

3) Assess And Decide What Needs Correcting

Look at the data, consider the evidence, and decide whether it’s inaccurate or incomplete. Where the change is straightforward (updated email address, corrected spelling), you can usually proceed without further investigation.

For contested matters (for example, performance notes in an HR file), consider whether rectification is appropriate, whether an explanatory note should be added, or whether the data should be marked as disputed.

4) Make The Change And Update Downstream Systems

Rectification isn’t complete until all relevant systems and data flows are updated. Map where the data lives (CRM, payroll, accounting, marketing tools) and ensure consistency. If you’ve shared the data with other organisations, take reasonable steps to notify them so they can correct their copies.

If a processor maintains systems for you (for example, a cloud HR platform), ensure your Data Processing Agreement requires timely assistance with rectification requests.

5) Confirm The Outcome

Tell the individual what you did, when it will take effect, and who you’ve notified (if applicable). If you’re not fully complying, explain your reasons, how you’ll handle disputed data (for example, adding a note), and how they can escalate to the ICO if they’re unhappy.

6) Keep A Paper Trail

Document the request, your reasoning, any evidence you relied on, the changes made, and the date you responded. Good records will help you demonstrate compliance in the event of an ICO query and improve your internal processes over time.

If the rectification request accompanied an access request, make sure your timelines and responses also align with the rules on SAR deadlines and scope.

Timeframes, Evidence And When You Can Refuse

Most rectification requests are simple and quick to resolve. Still, you should be clear on the statutory deadlines and the limited grounds for refusing or extending a request.

How Long Do You Have To Respond?

• Standard deadline: One month from the date you receive the request.
• Extensions: You can extend by up to two further months if the request is complex or you’ve received multiple requests from the same individual. Tell the individual within the first month that you’re extending and explain why.
• Fees: You cannot charge a fee, unless the request is manifestly unfounded or excessive - and even then, it’s usually better to refuse rather than charge.

If the rectification request is bundled with an access request, align your approach with your SAR process and make sure your team understands how to triage and prioritise. Having internal SAR templates can make your responses more consistent and efficient.

What Evidence Can You Ask For?

You can ask for evidence where it’s reasonable and necessary to verify the correction (for example, a deed poll for a legal name change, or a utility bill to confirm an address). Keep it proportionate and only collect what you need. If the risk of harm is low and the correction is minor, you likely don’t need extensive evidence.

When Can You Refuse A Request?

You may refuse a rectification request if it’s manifestly unfounded, excessive, or repetitive without good reason. You can also say no when the data is already accurate, or where completing it isn’t appropriate given the purpose (for example, adding excessive detail to a simple customer record).

If you refuse, you must tell the individual why, outline their right to complain to the ICO, and explain their right to bring a claim to court. For complex or edge cases, review the recognised SAR exemptions and seek tailored advice so you don’t over- or under-apply an exemption.

What If The Data Is In Dispute?

If you cannot determine whether the data is accurate - for example, where it’s an opinion or contested account - you can add a note to the record explaining that the individual disputes it and what their position is. This is often an appropriate compromise for HR files, complaint logs and professional assessments.

Policies, Contracts And Records To Put In Place

A smooth rectification process is easier when your privacy foundations are in good shape. Here are the practical pieces we recommend for SMEs.

Clear, Accessible Privacy Information

Make it easy for individuals to understand how to exercise their rights. Include a simple rectification process in your Privacy Policy, with contact details, identity verification steps, and an outline of the typical timeline. Keep your policy accurate, concise and tailored to your actual data flows - generic wording can cause confusion or create obligations you can’t meet.

Data Maps And Retention Schedules

Know where personal data lives across your systems (CRMs, accounting, HR, marketing, cloud storage). This helps you update all copies consistently and notify third parties when needed. Link rectification to your retention and deletion schedule, so you’re not correcting data you should have already erased. If deletion is more appropriate than correction, revisit your approach to data deletion.

Processor Contracts That Support You

When third-party vendors process data for you, your Data Processing Agreement should require them to assist promptly with rectification requests, including propagating corrections across their systems and supporting evidence capture. This isn’t just best practice - it’s a UK GDPR requirement for controller–processor relationships.

Front-Line Procedures And Training

Your team should know how to spot and triage rights requests, including rectification. Provide simple playbooks and escalation paths so requests don’t get lost in inboxes. If you run an online shop or platform, make sure your contact channels, webforms and FAQs point users in the right direction.

Consent, Cookies And Data Minimisation

Rectification gets much easier if you minimise the data you collect and keep it fresh. Review consent mechanisms, analytics settings and cookie controls so you’re not holding more personal data than you need. If you use consent for marketing or analytics, ensure your cookie experiences are compliant - using practical steps like lawful cookie banners and granular choices.

Incident Readiness

If you discover a pattern of inaccuracies (for example, a broken integration or import error), treat it like an incident. Fix the root cause, correct affected records, and consider whether any errors could have caused harm. Where inaccuracies result in a personal data breach (for example, invoices sent to the wrong person), your Data Breach Response Plan should guide next steps.

Templates And Registers

Keep standard response wording for rectification and broader data rights, and a central log of requests and outcomes. If you handle frequent access requests, reusable text and a clear workflow will reduce errors and speed up your compliance effort alongside your rectification process.

Key Takeaways

• The right to rectification under the UK GDPR lets individuals require you to correct inaccurate personal data or complete incomplete data. As a controller, you must take reasonable steps to keep data accurate and up-to-date.
• Build a simple process: acknowledge and log the request, verify identity proportionately, assess the data and evidence, correct it across systems, notify third parties where appropriate, and confirm the outcome to the individual.
• Act quickly: you have one month to respond, with up to two further months for complex or multiple requests. If you refuse, explain why, set out the right to complain to the ICO, and keep a clear audit trail.
• Use strong privacy foundations: maintain a tailored Privacy Policy, accurate data maps and retention schedules, and processor contracts that support rectification through a robust Data Processing Agreement.
• Coordinate with related rights: many rectification requests arrive with access requests, so align your approach to responding to SARs and keep an eye on SAR deadlines and applicable exemptions.
• Minimise and maintain: collect only what you need, keep records current, and ensure your cookie and tracking practices are lawful with practical, compliant cookie banners.

If you’d like help setting up a compliant rectification workflow, drafting a Privacy Policy, or putting the right contracts and templates in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.