Skip to content

What Rights Do My Customers Have Under UK GDPR?

Table of Contents

In Short

  • UK GDPR grants individuals rights such as access, rectification, and erasure of personal data.
  • Businesses must respond to requests within a set timeframe and ensure staff are trained to handle these rights.
  • Failing to comply with customer rights can result in penalties and reputational damage.

Tips for Businesses

Ensure your staff are trained on UK GDPR rules and can respond to data requests efficiently. Have a clear, accessible privacy policy that outlines customer rights to foster trust and compliance.

The UK General Data Protection Regulation (UK GDPR) seeks to grant individuals control over their personal data and affords them a range of rights. As a business owner, you must respect these rights to comply with legal obligations, build customer trust, and avoid penalties. Understanding and implementing procedures to correctly handle these rights is crucial for your business. This article explores some key rights under UK GDPR that your customers have if your company acts as a data controller. 

What Are Some of the Key Rights Of Individuals Under UK GDPR?

Suppose your business collects personal data from your customers, e.g. their names, addresses, payment information, or other information as a data controller. In that case, you have several critical obligations under the UK GDPR. One of the essential obligations is to comply with data subject rights requests. Failing to comply with your customers’ rights requests can result in penalties, reputational damage, and a loss of trust – you should note that your customers can complain to the ICO should your business fail to comply with their data subject rights.  

Here is a summary of some of the fundamental rights which your customers as data subjects have under data protection law: 

Right to Be Informed

Your customers have the right to know how your business collects, processes, and stores their data. You need to explain why you are collecting the data, how long you will keep it, and who you will share it with. You can provide this information by issuing your customers a privacy policy document. This policy must be written in plain, understandable language so that your customers fully grasp how your business will process their data. 

Privacy policies are vital documents for compliance and are often public-facing; companies commonly publish them on their websites. 

Right of Access

Customers can submit a Subject Access Request to request access to their personal data. Your business must provide a copy of the requested data, generally within one month (with the scope of extending the period in certain circumstances), and explain other essential information on how it is processed. 

There are limited exemptions which your business can rely upon should you have grounds to refuse a request, such as if it is manifestly unfounded or excessive. 

Right to Rectification

Customers can ask your business to correct inaccurate or incomplete personal data. Your company must respond promptly to ensure the data’s accuracy. 

Right to Erasure 

Customers can request the deletion of their personal data in certain circumstances – for instance, when it is no longer necessary for the original purpose or if they withdraw consent. However, this right is not absolute, and certain exceptions may permit your business to retain specific data.

Right to Restrict Processing

Customers can request that your business restrict the processing of their personal data in certain circumstances.

Right to Data Portability

Customers can request their personal data in a machine-readable format and transfer it to another service provider if the processing is based on consent or a contract, and the processing is carried out by automated means. Portability helps ensure that customers maintain control over their data and can easily switch to another business without losing access to their personal information.

Right to Object

Customers can object to the processing of their data, for instance, for direct marketing or profiling. 

Rights Related to Automated Decision-Making

Individuals also have certain rights concerning your business carrying out automated decision-making and profiling. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

These rights can be complex to navigate, and usually, you will need to respond within one calendar month from receipt unless you can justify an extension, but correctly complying with them is vital. If you are unsure about what to do if a customer exercises any of these rights, you should seek legal advice from a data protection solicitor. 

Which Steps Can You Take to Ensure Your Business Complies with UK GDPR?

As a data controller, your business should take steps to help facilitate the exercise of data subject rights

Here are some key your business can take to help itself comply with these vital data subject rights: 

Train Your Team on UK GDPR Compliance and Implement Appropriate Policies and Procedures 

Your business should train your staff regularly on how to handle personal data securely and in accordance with UK GDPR rules. You should ensure your employees know how to respond to customer requests and follow best practices for data protection. For instance, you could allocate responsibilities to key individuals to respond to data subject rights. Alternatively, ask staff to escalate requests to senior management or your Data Protection Officer or Data Privacy Manager.

You should update your training when any laws or your internal processes change to minimise the risk of breaches of your legal obligations. Well-informed staff are critical for day-to-day compliance and ensure that all data subject rights are dealt with appropriately.

You can also implement key documents such as a Data Protection Policy and Data Subject Rights Policy. This can help staff understand your company’s obligations and how to handle data subject rights requests when they arise. 

Communicate Customers’ Rights Clearly

Your business must ensure customers understand their rights by clearly explaining the same in your privacy policy. This can help customers feel confident by clearly setting out how they can exercise their rights. Transparency is key to fostering trust. A well-communicated privacy policy will help make it easier for customers to exercise their rights. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Takeaways

UK GDPR grants your customers significant control over their personal data and several key rights. Your business must take proactive steps to respect and implement these rights. By implementing clear and comprehensive policies, training your staff, and informing customers about their rights, your business can build trust, demonstrate compliance with the UK GDPR rules, and be in a better position to avoid penalties. 

If you need advice on UK GDPR compliance and data subject rights, our experienced data privacy lawyers can assist you through LegalVision’s membership service. For a low monthly fee, you will have unlimited access to our lawyers, who can answer your questions and draft or review your documents. Call us today at 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What is the UK GDPR?

The UK GDPR is the key law which governs how your business handles personal data. It gives individuals control over their personal information. It requires your company to comply with strict rules on data collection, processing, and security.

What are data subject rights?

Data subject rights are very data subject friendly and include the right to access personal data, correct inaccurate information, delete data, restrict processing and object to specific uses in certain cases. Your business must uphold these rights to comply with UK data protection law rules. 

Register for our free webinars

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards