Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Is the Right to Rectification?
- Why Does the Right to Rectification Matter for Your Business?
- What Counts as Personal Data Needing Rectification?
- When Can Someone Exercise Their Right to Rectification?
- How Long Do You Have to Respond?
- Can You Refuse a Rectification Request?
- What Happens If You Get It Wrong?
- How Can You Prepare Your Business for Rectification Requests?
- Right to Rectification vs. Other Data Subject Rights
- What Legal Documents and Resources Can Help?
- Key Takeaways
If your business collects and stores any personal data, you’ve probably heard about the GDPR - the UK’s core privacy law. But did you know your customers and employees have a powerful say in ensuring the information you hold about them is correct?
The right to rectification is a key part of the UK GDPR (the General Data Protection Regulation, as retained in UK law after Brexit). It gives individuals the legal power to demand you correct mistakes or update incomplete data. Whether you’re running a small online shop, a service-based business, or handling HR data, ignoring this right can land you in hot water with the ICO - and damage your reputation fast.
Don’t stress - by understanding your obligations, building the right processes, and knowing when to get expert help, you can confidently manage rectification requests and turn privacy compliance into a business strength. Let’s break down exactly what the right to rectification means, who it protects, how to handle requests correctly, and what steps you should take as a modern UK business.
What Is the Right to Rectification?
The right to rectification is a vital piece of the UK GDPR. In simple terms, it allows any individual (known as a “data subject”) to request that you amend or update personal data you hold about them if it’s inaccurate or incomplete.
This means that if someone spots an error in their name, address, employment record, or any other personal information your business processes, they have the legal right to ask you to fix it - and you’re required to do so (unless there’s a valid legal exception).
The right is enshrined in Article 16 of the UK GDPR, and applies to:
- Customers and users
- Staff (current, former, or job applicants)
- Third parties whose data you’ve collected - e.g. marketing leads, suppliers
Why Does the Right to Rectification Matter for Your Business?
Getting privacy right isn’t just about ticking a legal box - it’s about building trust. Here’s why rectification is so crucial for UK businesses:
- Legal risk: Not responding properly can mean GDPR fines or investigations by the Information Commissioner’s Office (ICO)
- Customer relations: Promptly correcting records shows you take people’s data - and their rights - seriously
- Data accuracy: Keeping accurate, up-to-date info prevents errors in billing, service delivery, and future communication
- Business reputation: Mishandling personal data (or dragging your feet on requests) can damage how people see your brand
No matter your size, if your company handles personal data, GDPR compliance should be a foundation of your privacy culture from day one.
What Counts as Personal Data Needing Rectification?
The UK GDPR covers a broad range of personal data, including:
- Names, addresses, phone numbers, emails
- Employee records (e.g. job titles, work history, pay details)
- Purchase histories or order information
- Website user data and account info
- Health, financial, or other sensitive details
If the data can identify an individual on its own (or combined with other information you control), it falls under GDPR and the right to rectification applies.
When Can Someone Exercise Their Right to Rectification?
The right to rectification kicks in when:
- Personal data you hold is incorrect (e.g. wrong address, mis-typed name)
- The data is incomplete (e.g. missing middle name, incomplete payment info)
If a customer tells you their surname has changed or a staff member says their training record is missing details, you must act to put things right. The process isn’t optional - and you have a legal duty to respond promptly.
How Should UK Businesses Handle a Right to Rectification Request?
If you receive a rectification request (sometimes called a “data subject request”), here’s how to handle it:
Step 1: Confirm the Request
- Ask the person to specify what data needs correcting, and provide any supporting info or documentation
- Check their identity, especially for sensitive or high-risk data, to prevent unauthorised changes
- Remember: requests can be made in writing, verbally, via email, social media or even in person
Step 2: Assess the Accuracy
- Check whether the data is indeed inaccurate or incomplete
- If you reasonably doubt the accuracy, you can ask for further evidence (but don’t create unnecessary barriers)
Step 3: Make the Correction (or Add a Supplementary Statement)
- If the data is wrong or partial, update your records as soon as possible
- If you can’t make the change immediately (e.g. you need clarification), you can temporarily restrict processing under the right to restriction
- If you believe the data is already correct, explain your reasoning (you might need to justify this to the ICO if challenged)
Step 4: Notify Third Parties
- If you’ve shared the data with others, you must tell them about the correction too - unless this is impossible or would involve disproportionate effort
It’s a good idea to keep internal records of all rectification requests and how you’ve handled them, as proof of compliance.
How Long Do You Have to Respond?
Under the UK GDPR, you must respond to all right to rectification requests:
- Without undue delay, and in any event
- Within one month (with a possible 2-month extension for complex cases - but only if you tell the individual within the first month)
In most cases, it’s important to act quickly. Delays can lead to ICO complaints or undermine consumer confidence.
Can You Refuse a Rectification Request?
In rare cases, you may have a valid reason not to change the data. For example:
- You reasonably believe the data is already accurate and complete
- The request is manifestly unfounded or excessive
- You need to retain the original record for legal, employment, or regulatory reasons (such as maintaining audit trails)
If you do refuse, you must:
- Explain the reason in writing
- Inform the individual of their right to complain to the ICO or seek a judicial remedy
It’s wise to seek legal advice if you’re unsure, as refusals are risky and often attract increased scrutiny.
What Happens If You Get It Wrong?
Failing to comply with the right to rectification is a breach of the UK GDPR. The risks include:
- ICO investigation - individuals can complain directly to the ICO, who will usually contact your business
- Regulatory fines - serious or repeated failures can trigger substantial fines (up to millions of pounds for grave violations)
- Litigation - the affected individual could bring legal claims for damages if they suffer harm due to inaccurate data
- Reputational damage - mishandling privacy rights can quickly go viral and erode client trust
Handling requests poorly also undermines any “privacy by design” principles in your business and could flag other GDPR compliance gaps.
How Can You Prepare Your Business for Rectification Requests?
The good news is, with clear processes and a privacy-first approach, managing the right to rectification doesn’t have to be complicated.
- Have a clear Data Protection Policy explaining how you handle and correct data - and make sure it’s available to staff and clients alike. You can see our tips for your Data Protection policy.
- Train your staff on recognising and managing rectification requests - frontline employees (like customer service or admin) should know what to do.
- Review your Privacy Policy to ensure you mention the right to rectification and give people an easy way to request corrections. If you need help creating or reviewing your privacy statements, check out our cookie and privacy policy tips.
- Have internal checklists or flows so you act within the response timeframe (see our guide to deadlines).
- Keep clean, accessible records - this makes it easier to action requests and maintain audit trails for compliance.
- Be clear with your customers about how they can notify you of errors, and make the process straightforward (avoid unnecessary obstacles).
- Review your supplier and third party contracts - make sure partners will cooperate with rectifications where relevant. Clauses in your supplier agreements should cover data accuracy and cooperation on data rights.
Remember, your GDPR compliance should span your whole business, not just be left to the IT or legal team. If you’re just starting out, see our quick GDPR tips for small businesses.
Right to Rectification vs. Other Data Subject Rights
It’s important to distinguish the right to rectification from other data rights under the UK GDPR. Individuals can also:
- Request a copy of their personal data (subject access request)
- Ask for data to be erased (the “right to be forgotten”)
- Restrict or object to processing
- Request data portability (for certain types of data)
You’ll want robust policies to handle all of these rights. Often, a request for rectification will come alongside other data rights - for example, someone might want to see their full record (access), correct mistakes (rectification), or restrict it while you investigate (restriction).
If you’re not confident your business can handle these requests efficiently and lawfully, don’t wait until a request lands - it’s much easier to prepare now with the right advice.
What Legal Documents and Resources Can Help?
To manage the right to rectification well, consider reviewing or implementing these essentials:
- A tailored Privacy Policy that covers all UK GDPR rights
- A Data Breach Response Plan to prepare for privacy issues or mistakes
- Clear Data Processing Agreements with suppliers and processors (get yours here)
- Internal rectification procedures in your staff handbook or compliance documents
- Employee training materials on GDPR rights and request handling
Avoid off-the-shelf templates for crucial documents - tailored advice means you stay protected, empowered, and GDPR-compliant from day one.
Key Takeaways
- The right to rectification gives individuals the legal power to correct inaccurate or incomplete personal data your business holds
- Your business must act “without undue delay” - generally within one month of the request
- Requests should be easy to make, and your staff should know how to verify and act on them
- Failing to comply could trigger ICO complaints, fines, damages claims or reputational risk
- Clear policies, staff training and robust contracts are essential to streamline compliance
- If in doubt, always seek tailored legal advice to manage tricky or unusual requests
Ready to make your privacy compliance a business advantage? If you’d like help setting up watertight processes or need a hand with rectification requests, reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat about your legal needs. Our team is here to empower your business to grow safely and confidently.
