Around 69% of UK consumers state that they have high levels of online privacy concerns, yet many do not fully understand their data privacy rights under UK law. This often means that people do not fully exercise their rights, potentially letting their personal information be collected, used, and shared without proper consent. Below, we explain your data privacy rights as a UK citizen so you can be better informed of how to control your digital information.
UK Law and Your Rights
Online privacy in the UK is governed by two main laws:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
Together, these laws outline how organisations must handle their users’ and clients’ data. These laws apply to both public and private organisations, regardless of where they are geographically based, as long as they handle data from people in the UK. These rights include:
Right to Be Informed
Under Articles 12-14, organisations must clearly explain what personal data they collect from users, why they collect it, how long they plan to keep it, and with whom it may be shared. It must be communicated in plain, accessible language, ensuring you can make informed decisions before sharing your data.
Right of Access or Subject Access Request (SAR)
You have the right to request and receive any and all data an organisation has about you. Under Article 12(3) of the UK GDPR, the organisation must send you your data within one month or up to three months for more complex requests. Under Article 12(5), this request must be fulfilled free of charge, except for requests that are ‘manifestly unfounded or excessive, in particular because of its repetitive character.’
Right to Rectification
If any personal data an organisation holds about you is inaccurate or incomplete, you have the right to request a correction under Article 16. Article 12(3) also covers this request, which means organisations also have one month to correct or complete their data about you. This right ensures that decisions based on your data, such as credit checks or service eligibility, are accurate and fair.
Right to Data Portability
When you request your data, you can also ask for it to be structured in commonly used machine-readable formats (such as CSV or JSON) to make it transferable to another service provider. This is under Article 20. For example, you can transfer your contacts from one platform to another, or even your fitness tracker data to a different health app.
Right to Object
You may also request that a service provider cease their processing of your data under Article 21. This applies to several scenarios, such as direct marketing, public interest tasks, or legitimate interest cases. While there are scenarios when an organisation might override this right, in the case of direct marketing specifically, they will need to stop without exception.
Right to Erasure (‘Right to Be Forgotten’)
Under Article 17, you also have the right to request the complete deletion of your personal data under certain circumstances. This right is not absolute, however. Under certain conditions, such as legal obligations or public interest reasons, organisations may be given the right to retain some of your data.
How the UK Regulates Online Privacy
The Information Commissioner’s Office (ICO) is the UK’s independent authority responsible for enforcing these data protection laws. They can investigate organisations, issue fines, and take enforcement action when companies do not comply with these legal requirements.
As such, if you have a complaint about how your data is processed, you can file a complaint with the ICO. The ICO has received 42,881 complaints in 2024/2025 and remains determined to help everyone protect their information.
Practical Steps to Protect Your Privacy
However, you can take practical steps to protect your privacy yourself. Be proactive:
- Check your privacy settings — Take time to adjust these settings to limit data sharing and tracking.
- Learn about practical tools — When you browse online, use encrypted messaging apps, secure browsers, or download a VPN to secure your internet activities.
- Use complex passwords — Create a unique and long password for each account, avoiding personal info or dictionary words.
- Read privacy terms and conditions — To understand if you’re not agreeing to exploitative practices and to know where your data is stored and used.
- Exercise your rights — Don’t hesitate to contact companies or file complaints with the ICO.
These steps, aside from filing complaints or contacting organisations, can be quickly and easily done.
Data Privacy Is Constantly Evolving
However, digital technology is always evolving—and so too will online privacy and regulations around it. As such, keep yourself informed on the latest news about data regulations through the ICO’s website to ensure you can keep exercising your rights effectively.