Understanding Article 15 GDPR: Your Right to Access Personal Data for UK Businesses

As a UK business owner, there’s no escaping the realities of data protection law - especially when it comes to privacy rights like those found in Article 15 (“art 15”) of the UK GDPR. These laws can feel overwhelming if you’re new to business, but getting them right is absolutely vital to keeping your reputation strong, building trust with customers and staying out of legal hot water.

Art 15 is all about your customers’ right to access personal data that you hold about them. This is a core part of the “data subject rights” built into modern privacy law. If you welcome clients, customers, or even employees into your business and collect any of their information - even something as simple as a name or email - understanding Article 15 isn’t optional. It’s essential.

But don’t stress - in this guide, we’ll demystify art 15 for UK businesses. You’ll discover what Article 15 actually requires, how subject access requests (SARs) work, practical steps to comply, and what to do if things get complicated. By the end, you’ll not only know how to meet your obligations, but you’ll see how good data rights management can be a real asset as your business grows.

What Is Article 15 of the UK GDPR?

Let’s start with the basics: Article 15 (art 15) of the UK General Data Protection Regulation (GDPR) gives individuals the right to obtain a copy of their personal data from businesses and organisations that process it. This is often referred to as the “right of access.”

In plain English, this means:

• If someone (a “data subject”) asks, you must give them a copy of all the personal data you hold about them.
• You must also provide details about how and why you use their data, how long you keep it, who you share it with, and other key information.

This right applies to nearly every business in the UK, no matter your size or sector. Even if you’re a sole trader with a side hustle, if you collect personal data (like emails, addresses, payment details, or staff records), you need to comply with art 15.

Key things art 15 covers:

• Confirmation that you’re processing their data
• A copy of the personal data
• Information about why you process it
• Who you share it with (including international transfers)
• How long you keep the data
• Where you got the data from (if not directly)
• Their rights, like corrections or objections
• Their right to complain to the ICO if they’re unhappy

The law aims to be transparent and empower people to control their information - something customers really value these days.

Why Is Article 15 Important for UK Businesses?

You might be wondering why art 15 is such a big deal if you’re just starting out or only collect simple customer data. Here’s why this right matters:

• Legal compliance: The UK GDPR and Data Protection Act 2018 make compliance mandatory. Fines for ignoring or mishandling access requests can be significant (up to millions for large companies, but enough to hurt small businesses too!).
• Customer trust: Being able to confidently and efficiently handle SARs shows you value privacy and are committed to doing things right - this builds loyalty and sets you apart.
• Risk management: Mishandled SARs can result in complaints to the ICO (the UK’s data regulator), negative reviews, or even lawsuits.
• Efficient systems: Good practices around SARs are a foundation for all kinds of data management, making it easier as your business grows or if you enter partnerships, seek investment, or face due diligence.

Ignoring art 15 isn’t just a legal risk - it’s a business risk. The best approach is to bake data rights compliance into your business from day one. That way, when a customer or the ICO comes knocking, you’re ready and confident.

What Is a Subject Access Request (SAR)?

The most common way art 15 comes up for businesses is through a Subject Access Request - often called a “SAR”. This is when an individual contacts your business to ask for:

• A copy of all their personal data that you hold
• Confirmation of what you do with it
• Details about your processing activities

Customers, clients, employees, and even job applicants can submit SARs at any time. There is no official format required - someone could ask by email, in a letter, on social media, or even face-to-face. You can’t insist they fill in a special form (but you can provide one to make things easier).

You must respond:

• Within one month of receiving the request (extensions are possible in complex cases, but you must explain why)
• Free of charge, unless the request is “manifestly unfounded or excessive” (in which case you can refuse or charge a fee - but tread carefully and document your reasons!)

Staff should be trained to spot SARs and know who to escalate them to. Mishandling a request - or missing one altogether because the person used unusual wording - can cause real problems down the track.

For detailed steps on handling SARs, see our practical guide: How to Respond to Subject Access Requests in the UK.

What Counts as Personal Data Under Art 15?

Art 15 applies to all “personal data” - a term with a broad definition under the UK GDPR and Data Protection Act 2018. In general, this means any information about an identified or identifiable person. This can include:

• Names and addresses
• Email addresses and phone numbers
• Purchase or service histories
• Employee or contractor records
• Website usage data (cookies, IP addresses, etc.)
• Social media handles
• Location data
• CCTV footage or audio recordings, if linked to a person’s identity

It’s very likely that if your business manages any customer, staff, or user information, it falls within art 15’s remit. Remember, “processing” covers almost anything you do with data (collecting, storing, using, deleting, etc.), not just sharing it externally.

Step-By-Step: How Should UK Businesses Respond to a Subject Access Request?

Here’s a quick stepwise process for handling SARs in line with Article 15 of the GDPR:

1. Identify the request: Train staff to spot a SAR, even if it’s informal. Pass it to whoever handles data protection in your business.
2. Confirm the identity: You can ask for proof of identity if necessary (especially for sensitive data), but keep the request reasonable.
3. Clarify the scope: If the request is broad, you can ask the individual to clarify what information they want, but you can't delay unduly while waiting for more details.
4. Locate all relevant data: Search systems, emails, files, backups, and cloud apps for all personal data relating to the requester.
5. Prepare the response: Assemble the data in a secure and readable format. Double-check you’re not disclosing third-party information, confidential trade secrets, or data protected by legal privilege. If so, those bits must be redacted or withheld (with a clear explanation why).
6. Include required information: Alongside the data, include details about your processing activities: purposes, categories, retention policies, recipients, transfer (especially outside the UK), and the rights to rectification and erasure.
7. Respond within the time limit: Send the information securely, within one month. Confirm the request is complete, and provide contact info for further queries or complaints (usually to the ICO).
8. Document your process: Maintain records of SARs received, how you responded, what you disclosed, and why. This is essential in case of an ICO investigation.

For more support, you might want to read:

• Subject Access Request Templates
• Managing GDPR Complaints: A Practical Employer Workflow

What Exemptions or Limitations Apply to Art 15?

As with many legal rights, there are a few limitations and exemptions when it comes to handing over data under art 15. UK law allows you to:

• Refuse requests that are “manifestly unfounded or excessive” (but you must explain why and document your reasoning)
• Withhold information that would adversely affect the rights and freedoms of others (such as revealing a third party’s personal data)
• Protect trade secrets or legally privileged/confidential business information
• Apply some limitations to certain sectors, like crime detection, taxation, or legal proceedings

Decisions to rely on exemptions should not be taken lightly. If you’re unsure, it’s always best to get tailored legal advice from a data privacy lawyer to assess your specific situation.

How Can Businesses Prepare for Subject Access Requests?

Proactive preparation is the best medicine when it comes to art 15. That means putting the right policies, procedures, and documents in place now - before you receive your first SAR. Here are the essentials:

• Publish a clear Privacy Policy: The UK GDPR requires every business to have a Privacy Policy that outlines how you handle data, what rights people have, and how they can exercise them (including making SARs).
• Map your data flows: Know where you store and process customer, client, and employee data - both on your systems and on external/cloud platforms. This makes it much faster to respond to SARs.
• Train your team: Ensure everyone is aware of SARs, how to spot them, and who to inform internally. Mistakes often happen when requests are missed or mishandled at the first point of contact.
• Set up SAR procedures: Create a step-by-step workflow outlining how you respond to requests. This should include template letters and checklists for consistent, compliant responses.
• Keep good records: Track SARs and how you handle them. This can be vital if you later need to prove compliance to the ICO or defend a complaint.

For more, check our advice on building a GDPR-compliance toolkit for UK businesses.

What Happens If You Get It Wrong?

Failing to comply properly with art 15 can result in:

• Investigations or fines from the ICO (these can be severe, depending on the scale and harm caused)
• Dissatisfied customers, bad reviews, and loss of trust
• Potential claims for compensation if someone suffers because you withheld or mishandled their personal data
• Legal headaches and reputation damage that are much harder to fix after the fact

It’s far easier (and cheaper!) to get your data protection and SAR processes right from the outset. Getting professional help to review your systems and policies may be the best investment you make all year.

Are There Special Considerations for Small Businesses?

Yes, while every business - no matter how small - must comply with art 15, the rules are designed to be proportionate:

• If you’re a micro-business, the expectation is that you respond “without undue delay and at the latest within one month,” as for any business, but there’s understanding if genuinely complex requests take a little longer (as long as you communicate clearly!)
• You can refuse “manifestly unfounded or excessive” requests, but be cautious - the threshold is high, and you must justify your decision to the ICO if challenged
• Outsourcing your data or using cloud services? Make sure your contracts cover SAR handling, and that data processors are GDPR-compliant too (see our guide on data controllers vs processors)

You’re not alone - a little preparation and guidance goes a long way. If you ever feel out of your depth, reaching out to data privacy experts can provide clarity and peace of mind as you grow.

Key Takeaways

• Article 15 (art 15) of the UK GDPR gives individuals the right to access their personal data and key details about how and why it’s processed.
• All UK businesses, from sole traders to companies, must be able to handle Subject Access Requests (SARs) quickly, efficiently, and for free (in most cases).
• Personal data includes almost any information that identifies individuals - customers, employees, clients, or prospects.
• Businesses must respond to SARs within one month, providing the requested data and all legally required information.
• Proper preparation (mapped data flows, clear policies, staff training, and documented processes) is crucial to smooth and compliant SAR handling.
• Failing to comply with art 15 can result in ICO fines, customer complaints, negative publicity, and reputational damage.
• If you’re ever unsure about exemptions, third-party data, or complex SARs, it’s wise to get expert legal advice tailored to your business.

If you’d like help preparing for art 15 requests, reviewing your privacy policies, or ensuring full data protection compliance, reach out anytime for a free, no-obligation chat with our friendly legal team. You can call us on 08081347754 or email team@sprintlaw.co.uk. We’re here to help you stay protected from day one - so your business can grow with confidence!