How to recognise and handle data subject requests under UK GDPR

Under the UK GDPR, everyone has rights over their personal data. They can ask to see it, correct it, delete it or limit how it is used. These are called data subject rights or individual rights requests. Every organisation must know how to recognise and respond to them.

If you remember nothing else, remember this: any staff member can receive a request, so everyone must know what to do.

1. What are data subject rights

People have eight main rights under the UK GDPR:

1. Right to be informed – to know how their data is used.
2. Right of access – to get a copy of their data.
3. Right to rectification – to correct inaccuracies.
4. Right to erasure – to have data deleted.
5. Right to restrict processing – to limit how it’s used.
6. Right to data portability – to move their data to another provider.
7. Right to object – to stop processing for certain purposes.
8. Rights related to automated decision-making – to question decisions made solely by algorithms.

These rights apply to employees, customers and anyone whose data you process.

2. Recognising a request

A request does not have to mention GDPR or use legal language. If someone says, “Can I see what information you have about me?” or “Please delete my data,” that counts.

Requests can arrive through:

• Email or letter
• Online form or social media message
• Verbal request to a staff member

All must be handled the same way. The 30-day deadline to respond starts as soon as the request is received, not when it reaches the privacy team.

3. How to handle a request

When a request comes in:

1. Confirm the identity of the requester before sharing data.
2. Pass the request to your data protection officer or privacy lead immediately.
3. Record the date and method of receipt.
4. Work with relevant departments to locate the data.
5. Respond clearly and within 30 days.

If the request is complex, the time can be extended by another two months, but the person must be told within the first month.

4. Exemptions and balance

Not every request has to be granted in full. There are exemptions where data must be protected for legal, security or confidentiality reasons. For example, you may withhold information that identifies another person, or keep data needed for ongoing legal claims.

However, these exemptions should be applied narrowly and explained to the requester. Transparency is key.

5. Keeping records and learning

Document every request and your response. This shows accountability and helps track patterns.

• Keep a log with date, requester, type of right and outcome.
• Review common types of requests to identify problem areas.
• Train staff regularly so they recognise and escalate requests quickly.

6. Monday morning takeaways

If you receive a request:

1. Recognise it and pass it to your privacy lead.
2. Verify identity before taking action.
3. Respond clearly and on time.
4. Keep a record of what was done.
5. Stay polite and transparent.

If you manage a team:

1. Train everyone to spot and report requests.
2. Keep a central log and tracking system.
3. Make template responses for consistency.
4. Review and improve your process regularly.

Quick summary

In plain terms

Data rights are not a legal trap, they are about respect and control. When someone asks about their data, treat it seriously and respond clearly. Handling these requests well builds trust and shows your organisation takes privacy seriously.