Last updated: 29.07.19

Personal data – what are my rights under GDPR?

What is GDPR and how does it affect me?

The General Data Protection Regulation (GDPR) established the standard for data protection and privacy back in 2018 across the whole of Europe, including the United Kingdom. This covers personal data around a ‘data subject’ – a specific person which the data references – as well as sensitive personal data which is a special category that includes characteristics like racial or ethnic origin, religious beliefs, political values, biometric data and sexual orientation, among others. GDPR means that businesses which aim to store and process personal data for any reason must do so by adhering to six key principles.

As a data subject, you are able to exercise a number of rights under GDPR in relation to the organisations and entities that process your personal data for any reason. We’ve listed out these data subject GDPR rights with a brief summary of what they mean.

GDPR indivdual rights

1. The right of access

Data subjects have the right of access to any personal data kept on you by an organisation. This includes confirming that said organisation is processing your data, a copy of your personal data which is being processed, and any additional information. Subject access requests need to be acted upon within one month of the request being received.

2. The right to data portability

Data subjects have the right to request personal data which is held by an organisation and reuse it with other third parties. This means data subjects are able to take said data and make use of it somewhere of more practical use to the data subject.

3. The right to erasure

Data subjects can invoke the right to erasure – also called the ‘right to be forgotten’ – by referring to one of six reasons when requesting this of an organisation which is processing their data. These include:

  • The data no longer being needed after it has fulfilled its specified purpose
  • The data subject withdraws their consent following unlawful processing or special circumstances
  • The data has been unlawfully processed
  • The data subject invokes the right to object which proceeds the right to erasure
  • The data needs to be deleted in accordance with legal obligations with an EU member state law
  • The data relates to that of a child

4. The right to be informed

This is one of the key parts of the GDPR regulation, as it outlines that businesses must be transparent in their intent. Data subjects may request detail on exactly how an organisation will process their data and where said data will end up and potentially be shared with.

Looking for more information on GDPR? Click here to view our free GDPR resources.

5. The right to restrict processing

If a data subject believes that the data that has been collected on them is not accurate, is being processed unlawfully, or wish to prevent data processing while in the midst of an erasure request, they can restrict the processing of any personal data. This means that an organisation can store the information on a data subject but not make use of it, as well as notify any third parties they shared the data with in order to prevent them from processing it as well.

6. The right of rectification

Any data subject who believes that the data stored by an organisation is incorrect or inaccurate can invoke the right of rectification in order to have the erroneous data altered or erased. Once a request have been made of an organisation, they must comply within one month of receiving the request.

Looking for GDPR training for your employees? Click here to view our comprehensive GDPR training.

7. The right to object to processing

When a data subject’s information is processed under assumed public interest, such as direct marketing, then this processing can be objected to. This only applies to public interest tasks, and can only be overruled if the organisation can prove there are compelling legitimate grounds for continue to process a data subject’s information.

8. The rights in relation to automated decision making and profiling

Automated processing which profiles a data subject based on data held on them can be objected to provided the profiling has been done solely via automation. Examples of this would be recruitment software pulling a data subject for a particular vacancy based on their listed occupation, years of service, etc.


What does GDPR compliance mean?

GDPR compliance means managing your usage of personal data in accordance with the regulations contained within GDPR.

How do I know if I am GDPR compliant?

The best way to check that you are GDPR compliant is to complete a Data Protection Impact Assessment from the ICO and, if needed, contact ICO for more information and advice afterwards.

How long do you have to respond to a GDPR request?

Once a GDPR data request has been made, organisations have to respond no later than one calendar month from the receipt of the request. For more complex requests or multiple requests, the limit is three calendar months.

Check out our full range of FAQs. Click Here to view.

If you’re interested in reviewing your rights in line with GDPR or own a business which processes customer data and would like to know more about how to avoid non-compliance, then our Essentials of GDPR e-learning course is perfect for getting to grips with the ins and outs of GDPR. This interactive course breaks down the information surrounding GDPR into easily digestible pieces and can be completed at your own pace.

Related resources