Individual Rights
Data subjects have power. Know what to do when they use it.
Overview
GDPR gives individuals a set of rights over their personal data. These rights are not theoretical β individuals can and do exercise them, and organisations have legal obligations to respond correctly and on time. Answer the five questions below with the precision expected of someone who might actually receive a rights request at work.
Read before you answer
GDPR gives individuals (data subjects) a set of enforceable rights over their personal data. These rights are not optional features β they are legal entitlements, and organisations must have processes in place to respond to them within defined timeframes. Failing to respond correctly to a rights request β or ignoring it β can result in regulatory complaints and fines. The core rights are: the right of access (to receive a copy of personal data held and information about how it is processed); the right to rectification (to have inaccurate data corrected); the right to erasure ("the right to be forgotten" β to have data deleted in certain circumstances); the right to restriction of processing; the right to data portability (to receive data in a machine-readable format); and the right to object (to stop processing in certain circumstances, particularly direct marketing).
The right of access β commonly exercised through a Subject Access Request (SAR) β must be responded to within one calendar month of receipt, extendable by a further two months in complex cases (with notification to the data subject). There is generally no fee for a SAR. The response must include: a copy of the personal data; confirmation that data is being processed; the purposes of processing; the categories of data; recipients of the data; the retention period; and information about other rights. The right to erasure is not absolute β it does not apply when processing is necessary for compliance with a legal obligation, the exercise of legal claims, archiving in the public interest, or other specified grounds. Organisations should therefore conduct a careful assessment rather than automatically erasing data on request.
Requests can be submitted by any means β email, letter, verbally. Organisations cannot insist on a specific format. Identity verification is permissible where there is reasonable doubt about the requester's identity, but the bar for requesting verification should be proportionate β you cannot make it systematically burdensome. Requests that are manifestly unfounded or excessive (particularly where they are repetitive) may be refused or charged a reasonable fee, but the organisation must be able to demonstrate the basis for this conclusion. The right to object to direct marketing is absolute and must be honoured immediately, without any assessment of grounds.