Data protection compliance overview

The UK General Data Protection Regulation (UK GDPR) provides for enhanced rights for data subjects including providing rights of access, rectification, erasure and restriction of processing, data portability, a right to object to processing and rights relating to automated decision making, including profiling, with strict time limits for complying. 

Right of access

Article 15 of the UK GDPR provides that the data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed from the data controller, and where it is, access to the personal data and certain further information—a right of access.

The UK GDPR sets out mandatory categories of information which must be supplied in connection with a data subject access request. See Lexis®PSL Q&A: What data/information can a data subject request from me under the right of access?

In most circumstances, you must provide a copy of the personal data free of charge. For any further copies requested by the data subject, you are allowed to charge a reasonable fee based on administrative costs. See Lexis®PSL Q&A: Can I charge a fee for dealing with a data subject access request?

Lexis®PSL Practice Note: Data subject rights—access explains the right to access and considers compliance strategies for businesses.

The Data protection compliance subtopic in Lexis®PSL also contains the following Precedents to help you comply with the right of access:


Rights to rectification, erasure and restriction of processing

Articles 16 to 19 of the UK GDPR contain rights to request that:

  • inaccurate personal data is rectified
  • personal data is erased, and/or
  • the processing of personal data is restricted so that the data may only be held and used for limited purposes by the controller

See further, Lexis®PSL Practice Note: Data subject rights—rectification, erasure and restriction of processing.

This Lexis®PSL subtopic also contains the following Precedents to help you comply with these rights:


Right to data portability

Article 20 of the UK GDPR sets out a right to data portability. This is essentially a right to receive and/or transfer personal data between data controllers. This right overlaps with the right of access, but it is not the same.

For some organisations, this right may create a significant burden, requiring substantial investment in systems and processes. See further, Lexis®PSL Practice Note: Data subject rights—data portability.

This Lexis®PSL subtopic also contains the following Precedents to help you comply with the right to data portability:


Right to object to processing

Article 21 of the UK GDPR gives individuals a right to object to specific types of processing. See further Lexis®PSL Practice Note: Data subject rights—objection to processing.

This Lexis®PSL subtopic also contains the following Precedents to help you comply with a data subject’s right to object to processing:


Right not to be subject to a decision based solely on automated processing—including profiling

Article 22 of the UK GDPR contains a right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning them or similarly significantly affects them. This is intended as a safeguard against the risk that a potentially damaging decision is taken without human intervention.

While this is described in the UK GDPR as a right, it is in essence a prohibition on decision making based solely on automated processing, which applies whether or not the data subject takes action regarding the processing of their personal data. See further, Lexis®PSL Practice Note: Data subject rights—automated decision making, including profiling.


Data subject requests processes and procedures

Data subjects have significantly enhanced rights while you have only a limited amount of time to deal with requests and limited ability to charge the data subject for them.

You need to implement processes to be able to comply with the full range of data subject rights.

This Lexis®PSL subtopic contains various tools to help you do that while reducing time and cost, including:

Q&As—short guidance notes covering key questions, eg:

      Precedents:

      For more information on privacy notices and associated precedents, see Lexis®PSL subtopic: Privacy policies and notices.