---
title: "UK GDPR Data Subject Rights"
canonical_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/data-subject-rights"
source_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/data-subject-rights"
author: "Sorena AI"
description: "Operational guide to UK GDPR data subject rights, including access, rectification, erasure, restriction, portability, objection."
keywords:
  - "UK GDPR data subject rights"
  - "subject access request UK"
  - "UK GDPR one month response"
  - "UK GDPR rights workflow"
  - "UK GDPR rights"
  - "Subject access request"
  - "One month response"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK GDPR Data Subject Rights

Operational guide to UK GDPR data subject rights, including access, rectification, erasure, restriction, portability, objection.

*Individual Rights* *UK GDPR*

## UK GDPR Data Subject Rights

Run rights workflows that meet ICO timing, verification, and disclosure expectations.

Good rights operations depend on searchability, ownership, and documented exceptions, not on ad hoc inbox handling.

Under UK GDPR, rights handling is a core operational function. The business needs to know what right was invoked, what identity checks were appropriate, what exceptions apply, and when the response clock ends.

## Rights inventory and timing

The main operational rights are access, rectification, erasure, restriction, portability, objection, and rights related to automated decision making. Most requests must be answered without undue delay and within one month.

- Categorise requests by right invoked and the systems affected
- Track the one month deadline from receipt of a valid request
- Record any extension notice and why it was needed
- Keep denial and partial disclosure rationales with the legal basis used

## Verification and search strategy

The ICO expects verification to be proportionate. Ask only for what is needed to confirm identity or authority. Excessive verification creates its own compliance risk.

- Use account authentication where appropriate
- Avoid requesting data you do not actually need to verify the request
- Search processors and key downstream systems as part of the standard workflow
- Keep a clear audit trail of searches, exceptions, and disclosures made

## Common failure points

The most common failures are weak search coverage, poor exception handling, and inconsistent coordination with vendors.

- Maintain a rights playbook for legal, support, and engineering teams
- Use templates for access packages, erasure outcomes, and refusal notices
- Train vendors and internal teams on response timelines and escalation
- Measure cycle time, backlog, refusal reasons, and repeat complaints

*Recommended next step*

*Placement: after the scope or definition section*

## Use UK GDPR Data Subject Rights as a cited research workflow

Research Copilot can take UK GDPR Data Subject Rights from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on UK GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for UK GDPR Data Subject Rights](/solutions/research-copilot.md): Start from UK GDPR Data Subject Rights and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through UK GDPR](/contact.md): Review your current process, evidence gaps, and next steps for UK GDPR Data Subject Rights.

## Primary sources

- [ICO guide to individual rights](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/a-guide-to-individual-rights/?ref=sorena.io) - Operational rights guidance.
- [ICO guide to accountability and governance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/?ref=sorena.io) - Accountability, records, and contracts guidance.
- [ICO documentation guidance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/documentation/?ref=sorena.io) - Article 30 and supporting documentation guidance.
- [UK GDPR on legislation.gov.uk](https://www.legislation.gov.uk/eur/2016/679/contents?ref=sorena.io) - UK legislative text.

## Related Topic Guides

- [IDTA vs EU SCCs | UK GDPR Transfer Tool Comparison](/artifacts/uk/uk-gdpr/idta-vs-eu-sccs.md): Compare the UK IDTA, UK Addendum, and EU standard contractual clauses for UK GDPR transfer compliance, contract selection, and transfer risk assessments.
- [UK GDPR Applicability Test | Territorial Scope and Roles](/artifacts/uk/uk-gdpr/applicability-test.md): Assess UK GDPR territorial scope, controller or processor role, special category triggers, and UK transfer exposure with a defensible applicability test.
- [UK GDPR Breach Notification | 72 Hour ICO Reporting Guide](/artifacts/uk/uk-gdpr/breach-notification.md): Operational guide to UK GDPR breach notification, including the 72 hour ICO deadline, processor escalation, breach logging.
- [UK GDPR Checklist | Practical Compliance Checklist](/artifacts/uk/uk-gdpr/checklist.md): Practical UK GDPR checklist for accountability, lawful basis, Article 30 records, processor contracts, rights handling, transfers, and breach readiness.
- [UK GDPR Children and Age Appropriate Design](/artifacts/uk/uk-gdpr/children-and-age-appropriate-design.md): Implement the UK Children's Code with grounded guidance on likely to be accessed tests, high privacy defaults, profiling limits, geolocation, age assurance.
- [UK GDPR Compliance Program | Operating Model Guide](/artifacts/uk/uk-gdpr/compliance.md): Build a UK GDPR compliance program with accountability, Article 30 records, DPIAs, controller processor contracts, rights operations, transfer controls.
- [UK GDPR Deadlines and Compliance Calendar](/artifacts/uk/uk-gdpr/deadlines-and-compliance-calendar.md): Calendar view of UK GDPR milestones, including January 1, 2021 applicability, March 2022 transfer tools, one month rights deadlines.
- [UK GDPR FAQ | Practical Questions and Answers](/artifacts/uk/uk-gdpr/faq.md): Practical UK GDPR FAQ covering scope, lawful basis, rights timing, breach reporting, transfers, children, and enforcement exposure.
- [UK GDPR Penalties and Fines | Enforcement Exposure Guide](/artifacts/uk/uk-gdpr/penalties-and-fines.md): Guide to UK GDPR penalties and fines, including the 17.5 million pounds or 4 percent upper tier, the 8.7 million pounds or 2 percent standard tier.
- [UK GDPR Requirements | Control Level Requirements Guide](/artifacts/uk/uk-gdpr/requirements.md): Control level UK GDPR requirements covering principles, lawful basis, transparency, rights, Article 30 records, security, contracts, transfers, and DPIAs.
- [UK GDPR Transfers, IDTA, and UK Addendum](/artifacts/uk/uk-gdpr/transfers-idta-and-uk-addendum.md): Detailed UK GDPR international transfers guide covering adequacy, UK IDTA, UK Addendum, transfer risk assessments, vendor governance, and UK bridge reliance.
- [UK GDPR vs Data Protection Act 2018](/artifacts/uk/uk-gdpr/uk-gdpr-vs-data-protection-act-2018.md): Compare the UK GDPR and the Data Protection Act 2018, including what the UK GDPR does directly and where the DPA 2018 supplements, restricts, or extends it.
- [UK GDPR vs EU GDPR | Practical Comparison](/artifacts/uk/uk-gdpr/uk-gdpr-vs-eu-gdpr.md): Practical comparison of the UK GDPR and EU GDPR, including scope, transfers, regulators, adequacy, and operational divergence for multinational programmes.
- [UK vs EU GDPR Differences | Operational Differences List](/artifacts/uk/uk-gdpr/uk-vs-eu-differences.md): Operational differences between the UK and EU privacy regimes, including transfer tools, adequacy lists, regulators, notices, and programme governance.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/uk-gdpr/data-subject-rights