Data protection compliance overview

The UK General Data Protection Regulation (UK GDPR) provides for enhanced rights for data subjects including providing rights of access, rectification, erasure and restriction of processing, data portability, a right to object to processing and rights relating to automated decision making, including profiling, with strict time limits for complying. 

Right of access

Article 15 of the UK GDPR provides that the data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed from the data controller, and where it is, access to the personal data and certain further information—a right of access.

The UK GDPR sets out mandatory categories of information which must be supplied in connection with a data subject access request. See Lexis®PSL Q&A: What data/information can a data subject request from me under the right of access?

In most circumstances, you must provide a copy of the personal data free of charge. For any further copies requested by the data subject, you are allowed to charge a reasonable fee based on administrative costs. See Lexis®PSL Q&A: Can I charge a fee for dealing with a data subject access request?

Lexis®PSL Practice Note: Data subject rights—access explains the right to access and considers compliance strategies for businesses.

The Data protection compliance subtopic in Lexis®PSL also contains the following Precedents to help you comply with the right of access:

• Response to data subject request—right of access—able to comply with request
• Response to data subject request—right of access—unable to comply with request
• Response to data subject request—right of access—seeking clarification
• Data subject access request form

Rights to rectification, erasure and restriction of processing

Articles 16 to 19 of the UK GDPR contain rights to request that:

• inaccurate personal data is rectified
• personal data is erased, and/or
• the processing of personal data is restricted so that the data may only be held and used for limited purposes by the controller

See further, Lexis®PSL Practice Note: Data subject rights—rectification, erasure and restriction of processing.

This Lexis®PSL subtopic also contains the following Precedents to help you comply with these rights:

• Response to data subject request—right of rectification
• Letter to data subject—establishing temporary restriction on processing
• Notice to data subject—right to restriction of processing—lifting restriction
• Response to data subject request—right to restriction of processing—able to comply with request
• Response to data subject request—right to restriction of processing—unable to comply with request
• Response to data subject request—right to erasure—able to comply with request
• Response to data subject request—right to erasure—unable to comply with request
• Notice to controller—data subject request for erasure of data—where data has been made public
• Notice to third party—data subject request for rectification, erasure or restriction of processing of data

Right to data portability

Article 20 of the UK GDPR sets out a right to data portability. This is essentially a right to receive and/or transfer personal data between data controllers. This right overlaps with the right of access, but it is not the same.

For some organisations, this right may create a significant burden, requiring substantial investment in systems and processes. See further, Lexis®PSL Practice Note: Data subject rights—data portability.

This Lexis®PSL subtopic also contains the following Precedents to help you comply with the right to data portability:

• Response to data subject request—right of portability—clarifying data and format
• Response to data subject request—right of portability—able to comply with request
• Response to data subject request—right to portability—unable to comply with request

Right to object to processing

Article 21 of the UK GDPR gives individuals a right to object to specific types of processing. See further Lexis®PSL Practice Note: Data subject rights—objection to processing.

This Lexis®PSL subtopic also contains the following Precedents to help you comply with a data subject’s right to object to processing:

• Response to data subject request—right to object—able to comply with request
• Response to data subject request—right to object—unable to comply with request

Right not to be subject to a decision based solely on automated processing—including profiling

Article 22 of the UK GDPR contains a right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning them or similarly significantly affects them. This is intended as a safeguard against the risk that a potentially damaging decision is taken without human intervention.

While this is described in the UK GDPR as a right, it is in essence a prohibition on decision making based solely on automated processing, which applies whether or not the data subject takes action regarding the processing of their personal data. See further, Lexis®PSL Practice Note: Data subject rights—automated decision making, including profiling.

Data subject requests processes and procedures

Data subjects have significantly enhanced rights while you have only a limited amount of time to deal with requests and limited ability to charge the data subject for them.

You need to implement processes to be able to comply with the full range of data subject rights.

This Lexis®PSL subtopic contains various tools to help you do that while reducing time and cost, including:

Q&As—short guidance notes covering key questions, eg:

• Can I charge a fee for dealing with a data subject access request?
• How long do I have to comply with a data subject request?
• What data/information can a data subject request from me under the right of access?
• How do I calculate the time limit for responding to a data subject request?
• How do we respond to customers who question or challenge us in relation to automated decision making?
• Refusing a data subject request—what is ‘manifestly unfounded or excessive’?
• What makes a data subject access request ‘complex’?

Precedents:

• a range of precedent response letters and notices to assist you when handling individual requests from data subjects—eg Precedent: Response to data subject request—all rights—requesting identity information or confirming authority
• template forms that can be made available to data subjects to obtain the best possible information as to what they are requesting and where it might found—see, eg Precedent: Data subject access request form
• Policy—data subject access requests
• Policy—data protection
• Policy—criminal records information
• Data protection privacy notice (employment)
• Data protection privacy notice (recruitment)

For more information on privacy notices and associated precedents, see Lexis®PSL subtopic: Privacy policies and notices.