The UK General Data Protection Regulation (UK GDPR) — retained from EU GDPR post-Brexit and supplemented by the Data Protection Act 2018 — gives UK residents some of the most comprehensive data rights in the world. Yet most people have never exercised a single one of these rights, aren't sure exactly what organisations can collect about them, or know how to complain when things go wrong. This guide explains your practical rights and how to act on them.

The Data Economy Reality

Every free app, social media platform, and loyalty programme collects data about you. UK GDPR gives you meaningful rights over this data — but exercising them requires knowing they exist. The ICO fined Meta £3 million in 2023 and has investigated hundreds of organisations. Your rights are legally enforceable, and complaints to the ICO are free.

Your Rights Under UK GDPR

  • Right of Access (Subject Access Request): You can request a copy of all personal data an organisation holds about you. They must respond within one calendar month. Free of charge. Template letters at ico.org.uk.
  • Right to Erasure ("Right to Be Forgotten"): Request deletion of your data where it's no longer necessary, you withdraw consent, or processing is unlawful. Not absolute — organisations can refuse if they have legitimate grounds (legal obligations, etc.).
  • Right to Rectification: Correct inaccurate personal data. Organisations must respond within one month.
  • Right to Data Portability: Receive your data in a structured, machine-readable format (e.g., to switch service providers). Applies to data processed by consent or contract.
  • Right to Object: Object to processing for direct marketing — this must always be honoured. Also applies to legitimate interests processing (the organisation may override if it can demonstrate compelling grounds).
  • Right to Restrict Processing: Pause processing of your data in certain circumstances (while accuracy is contested, or you've objected to processing).

How to Exercise Your Rights

RightHow to ExerciseResponse Time
Subject Access RequestEmail/letter to Data Controller. Quote "Subject Access Request under UK GDPR"1 calendar month
Erasure requestEmail/letter to Data Controller. Specify the data and grounds1 calendar month
Unsubscribe from marketingUnsubscribe link in email, or email to opt outImmediate (direct marketing: 10 working days max)
ICO complaintico.org.uk/make-a-complaintICO responds within 90 days typically

Protecting Your Personal Data: Practical Steps

  • Use a password manager: Bitwarden (free), 1Password, or Dashlane. Unique strong passwords for every account — the single most impactful security step.
  • Enable two-factor authentication (2FA): On email, banking, and all important accounts. Use an app (Google Authenticator, Authy) rather than SMS where possible.
  • Check Have I Been Pwned: Visit haveibeenpwned.com to see if your email has been in a known data breach.
  • Review app permissions: On iOS: Settings → Privacy. On Android: Settings → Apps → Permissions. Revoke location, microphone, and camera access for apps that don't need them.
  • Opt out of data broker profiles: Companies like Experian, Equifax, and various people-search sites hold extensive profiles. You can request removal — it's time-consuming but worthwhile.

UK-Specific Protections

  • PECR (Privacy and Electronic Communications Regulations): Requires explicit consent for marketing emails, texts, and cookies. If you receive unsolicited marketing, report it to the ICO.
  • Right to opt out of nuisance calls: Register with the Telephone Preference Service (TPS) at tpsonline.org.uk. Illegal to market to TPS-registered numbers.
  • Credit file access: Free access to your credit report via Experian, Equifax, and TransUnion. Check annually for errors or fraudulent accounts.

Your Digital Privacy Action List

This week: 1) Install a password manager and generate unique passwords for your top 10 accounts. 2) Enable 2FA on email and banking. 3) Check haveibeenpwned.com for your email address. 4) Register with TPS if you're receiving nuisance calls. 5) Review the privacy settings on your smartphone apps. These five actions take under two hours and significantly reduce your risk of identity theft and data misuse.