Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Are Data Subject Rights Under GDPR?
- Why Do Data Subject Rights Matter for UK Businesses?
- What Types of Data Are Covered?
- What Is the Data Subject Rights Procedure?
- How Should You Handle a Subject Access Request (SAR)?
- What Policies Do You Need to Support Data Subject Rights?
- What If You Can’t Comply With a Request?
- Common Pitfalls and How to Avoid Them
- How Can Sprintlaw UK Help With Data Subject Rights?
- Key Takeaways
If your business handles personal data-from customers, employees, users, or even potential clients-understanding data subject rights is a non-negotiable part of GDPR compliance in the UK.
But let’s be honest: phrases like “data subject rights” can sound a bit intimidating, especially if you’re not a legal pro. What does it actually mean for your business day-to-day? What rights does an individual really have over their data, and how do you comply with requests or challenges?
Don’t stress-whether you’re launching a new startup or expanding your small business, we’ll walk you through the essentials, demystify key terms, and share practical steps so you can stay protected (and build trust with your customers) from day one.
Keep reading to find out what data subject rights are, why they matter, and the steps your UK business should take for rock-solid GDPR compliance.
What Are Data Subject Rights Under GDPR?
Let’s start with the basics. The General Data Protection Regulation (GDPR), and its UK equivalent post-Brexit, gives individuals (“data subjects”) a package of rights over their personal data. In plain English, this means people have both control and transparency around how businesses use information about them-from names and email addresses to profile photos, purchasing habits, or employment data.
Here’s a rundown of the core data subject rights:
- The Right to Be Informed: Individuals must know how and why their data is used (“processed”), ideally via a clear Privacy Policy on your website or at the point of collection.
- The Right of Access: Anyone can request a copy of the data you hold about them, known as a SAR (Subject Access Request).
- The Right to Rectification: If their data is inaccurate or incomplete, they can ask you to correct it.
- The Right to Erasure (“Right to be Forgotten”): They can ask you to delete their data under certain circumstances.
- The Right to Restrict Processing: Individuals can ask you to limit how you use their data.
- The Right to Data Portability: They can request to receive their data in a commonly used format (to share with another provider, for example).
- The Right to Object: They can object to how their data is being used-such as direct marketing or profiling.
- Rights Related to Automated Decision Making and Profiling: They’re protected from potentially harmful outcomes if decisions about them are made solely by automated means.
If you’re wondering, “What are data subject rights, and do I need to worry?”-the answer is simple: if you process personal data, you’re legally required to uphold these rights under the UK GDPR and the Data Protection Act 2018.
Why Do Data Subject Rights Matter for UK Businesses?
Respecting data subject rights isn’t just a legal box-check. It builds customer trust, reinforces your brand’s reputation, and keeps you out of trouble with the Information Commissioner’s Office (ICO)-the UK’s data protection regulator.
Ignoring or mishandling a data subject rights request can lead to:
- Complaints to the ICO (which can investigate your compliance procedures),
- Fines and penalties for serious non-compliance, and
- Loss of customer confidence-potentially damaging your business long-term.
In short, understanding the rights of data subjects keeps you compliant, competitive, and builds a positive relationship with everyone whose data you handle.
What Types of Data Are Covered?
Data subject rights protect “personal data”-which basically means any information that can identify a living individual. That includes:
- Names, addresses, phone numbers, email addresses
- Online identifiers (IP addresses, cookies, account logins)
- Financial information, purchase and transaction details
- Employee records and HR information
- Photos, CCTV images, biometrics
- Any other data you collect as part of doing business
Even info you might not think is “private”-like a company email address if it can identify a person-can fall within the GDPR’s definition. If you’re unsure, see our detailed guide on when business email addresses are personal data under GDPR.
What Is the Data Subject Rights Procedure?
Your business must have clear, straightforward steps for handling data subject requests-sometimes called “data subject rights procedures.” This isn’t just best practice; it’s a core GDPR requirement.
Let’s break it down:
- Be Ready for Requests. Anyone can exercise their data subject access rights-customers, users, leads, even staff. You need to know (and train staff on) what to do the moment a request lands.
- Respond Promptly. Generally, you have one month to respond to a request (whether that’s replying with the information, confirming you’ve deleted their data, or explaining why you can’t comply).
- ID Verification. You can ask for proof of ID if you need to confirm the requester’s identity (especially for SARs).
- No (or Minimal) Fees. Requests should be handled free of charge in most cases-only charge if a request is “manifestly unfounded or excessive.”
- Log Everything. Keep records of requests received and how you responded (in case of ICO audits or disputes).
- Clear Communication. Use plain language and be open about how you’ve actioned the request. If you refuse, explain the reasons and inform them of their rights to complain to the ICO.
If this all sounds daunting, don’t worry-it’s more manageable than it seems, especially if you have a robust data protection process in place from the start.
How Should You Handle a Subject Access Request (SAR)?
A Subject Access Request (SAR)-where an individual asks for a copy of their data-is the most common (and potentially most challenging) data subject right to deal with. Here’s how to handle it:
- Have a Clear Request Process: Offer a simple way for individuals to submit SARs (such as a web form or central contact email).
- Verify Identity: Don’t provide data unless you’re satisfied the request is genuine and from the correct person.
- Locate the Data: Search all your systems, databases, and files where the individual’s data may be stored-including emails, cloud backups, or paper records.
- Provide What’s Required: Supply a copy of the data, explain how you use it, who you share it with, how long you keep it, and their ongoing rights.
- Don’t Forget Redactions: Remove or redact (black out) information about third parties where necessary.
- Respond Within Time Limits: Remember, you usually have one month-ask for extensions only in complex cases (and explain why).
It’s wise to have documented SAR procedures and template responses ready in advance. Learn more with our detailed SAR response guide: How to Respond Effectively to Subject Access Requests (SARs) in the UK.
What Policies Do You Need to Support Data Subject Rights?
To confidently uphold data subject rights, your business needs a few core documents and policies:
- Privacy Policy: Clearly set out how you use, store, and share personal data-so people are informed before they provide data. (See our Privacy Policy Guide.)
- Data Protection Policy: Outlines internal procedures, staff responsibilities, and response steps for data subject rights requests.
- Data Retention Policy: Ensures you only keep personal data as long as necessary-which supports “right to erasure” requests. For more on this, see building a compliant GDPR data retention policy.
- Data Breach Response Plan: Required if you ever suffer a leak or hack-have a plan in place to notify affected data subjects and the ICO.
Avoid using generic templates or “off-the-shelf” policies from the internet-these are rarely tailored to your specific risks or sector requirements. Professionally drafted policies help you stay compliant and show you’re serious about protecting personal data.
What If You Can’t Comply With a Request?
There are rare cases where you can refuse a data subject request: for instance, if providing the data exposes another individual’s privacy, if it’s “manifestly unfounded,” or if law requires you to keep certain information (such as records for tax or anti-fraud purposes).
If you decline a request, make sure you:
- Clearly explain the reasons to the individual
- Inform them of their right to complain to the ICO or seek legal remedy
- Document your decision process, so you can justify it in case of a dispute
Handling refusals carefully is just as important as upholding the right-get expert advice if you’re in doubt.
Common Pitfalls and How to Avoid Them
Avoiding GDPR slip-ups is crucial. Here are some pitfalls we regularly see small businesses fall into:
- Delaying or Ignoring SARs: Even accidental delays can trigger ICO investigations or fines.
- Not Training Staff: Team members must know how to escalate and handle data subject rights-especially front-line staff and managers.
- Poor Documentation: If you can’t show you’ve handled requests lawfully, you could be found non-compliant even if your intentions were good.
- Using Out-of-Date Policies: GDPR requirements change-review and refresh your GDPR policies at least annually.
- Not Vetting Processors: If you use software providers or contractors that handle data for you, ensure they’re also GDPR-compliant. (See our guide to vetting data processors.)
Setting up robust systems early can help you avoid these headaches-protecting your business as it grows.
How Can Sprintlaw UK Help With Data Subject Rights?
Getting GDPR right is a key part of building your business on solid legal foundations. At Sprintlaw UK, we help business owners prepare personalised Privacy Policies, draft robust procedures for handling subject access requests, and put in place compliant response plans if a data breach ever happens. We also offer GDPR compliance packs that cover every angle-so you can focus on growing your business with confidence.
If you’re unsure where to start, need a data subject rights procedure tailored to your industry, or want to review your compliance before an ICO audit, our expert lawyers are here to guide you every step of the way.
Key Takeaways
- Data subject rights are central to GDPR compliance in the UK-giving individuals control and transparency over their personal data.
- Your business is legally required to recognise and act on requests such as subject access, correction, deletion, and objection to processing-usually within one month.
- Have clear, documented procedures so your team can respond quickly and lawfully to rights requests.
- Protect your business with updated, tailored Privacy Policies and internal data protection policies that reflect current law and your operations.
- Train staff, document your process, and seek expert legal advice when facing tricky requests or potential refusals.
- Early action on GDPR compliance protects your brand, avoids costly penalties, and builds customer trust from day one.
If you’d like specific guidance on setting up or reviewing your business’s approach to data subject rights, reach out to us for a free, no-obligations chat on 08081347754 or at team@sprintlaw.co.uk. We’re here to help you get your legal foundations right-so you can get on with growing your business.
