🔒 Data Protection Guide
Data Protection & Your Rights Under UK GDPR in 2026
Your employer, a company or a public body holds data about you. This guide explains your rights under UK GDPR — including Subject Access Requests, the right to erasure, and how to complain to the ICO.
✅ Last verified: July 2026📚 Sources: GOV.UK, ACAS, Citizens Advice🇬🇧 Applies across the UK
⚖ Know Your Rights at a Glance
- Subject Access Request (SAR): You can request a copy of all personal data held about you by any organisation — it must be provided free within 1 month.
- Right to erasure ("right to be forgotten"): You can ask for your data to be deleted in certain circumstances.
- Right to correction: You can ask for inaccurate personal data to be corrected.
- Right to object: You can object to processing of your data for direct marketing — this must always be respected.
- ICO: The Information Commissioner's Office enforces UK GDPR and PECR. You can report organisations that breach your data rights.
- Employers and data: Your employer can hold data about you but must have a lawful basis, keep it secure, and not keep it longer than necessary.
Your rights under UK GDPR
UK GDPR (the UK's post-Brexit version of GDPR, retained in UK law) gives you the following rights over your personal data:
- Right to be informed: Organisations must tell you what data they hold, why, and how long they keep it (usually in a privacy policy)
- Right of access (SAR): Free copy of all your personal data within 1 month
- Right to rectification: Correction of inaccurate or incomplete data
- Right to erasure: Deletion of your data in certain circumstances (e.g. it's no longer needed, you withdraw consent)
- Right to restrict processing: Limiting what an organisation does with your data
- Right to data portability: Receive your data in a machine-readable format to transfer to another service
- Right to object: Stop processing for direct marketing (always) or for other purposes (where legitimate interests are the basis)
Subject Access Requests — how to make one
A Subject Access Request (SAR) lets you request all personal data an organisation holds about you. Steps:
- Write to the organisation's Data Protection Officer (DPO) or main contact — email is fine
- State clearly that you are making a Subject Access Request under UK GDPR Article 15
- Provide enough information to identify yourself (name, account number, address)
- You don't have to give a reason
The organisation must respond within 1 month (extendable by 2 months for complex requests with notice). The response must be free. If they refuse, they must explain why.
Your employer and your data
Your employer can lawfully hold personal data about you for employment-related purposes — payroll, performance, health and safety, disciplinary records. They must:
- Have a lawful basis for processing (usually contractual necessity or legal obligation)
- Tell you what data they hold and why
- Keep it accurate and up to date
- Not keep it longer than necessary
- Keep it secure
You can send your employer a SAR for your employment records — meeting notes, performance reviews, emails about you, disciplinary records. This is often useful before bringing an employment tribunal claim.
Complaining to the ICO
If an organisation breaches your data rights, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113. You should usually complain to the organisation first and allow them 3 months to respond before escalating to the ICO.
The ICO can investigate, issue enforcement notices and fines. For serious breaches (data security incidents, unlawful processing), the ICO can fine organisations up to £17.5 million or 4% of global annual turnover, whichever is higher.
1
Send a SAR to your employer before a tribunal claimEmail their HR/DPO asking for all personal data held about you. This often surfaces useful evidence — meeting notes, emails, disciplinary records.
2
Request erasure of data you no longer want heldWrite to the organisation stating you are exercising your right to erasure under UK GDPR Article 17. Explain why (e.g. no longer necessary, consent withdrawn).
3
Object to direct marketing immediatelyWrite to the organisation stating you are objecting to direct marketing processing under UK GDPR Article 21. This is absolute — they must stop.
4
Complain to the ICO if your request is ignoredIf an organisation ignores your SAR or refuses without justification, report to the ICO at ico.org.uk. The ICO can compel compliance.
5
Report data breachesIf an organisation loses or leaks your personal data, they must notify the ICO within 72 hours and notify you if the breach is likely to cause harm. If they don't, report to the ICO.
Frequently asked questions
Can I ask my employer for my emails and meeting notes?
Yes — a SAR covers all personal data held about you, including emails where you are discussed, meeting notes, and appraisal records. You have 1 month to receive them free of charge.
Can an organisation refuse my SAR?
Only in limited circumstances — if the request is manifestly unfounded or excessive, or if providing the data would reveal information about a third party that should not be shared. They must explain any refusal.
What is a Data Protection Officer and how do I contact one?
Larger organisations must appoint a DPO. Their contact details should be in the organisation's privacy policy. Small organisations may not have one — address your SAR to the organisation directly.
Can my employer monitor my work emails?
Yes, with some limits. Employers can monitor work communications for legitimate business purposes, but must tell you they do this in advance (usually in a staff handbook or IT policy). Covert monitoring has a much higher threshold.
What is the PECR?
The Privacy and Electronic Communications Regulations control how organisations can contact you by email, text and phone for marketing. Spam emails, nuisance calls and unsolicited texts may breach PECR — report to the ICO.
I received a data breach notification — what should I do?
Don't panic. Change passwords for affected accounts, monitor bank statements, and consider a credit check. If you suffer financial loss due to the breach, you may have a compensation claim against the organisation.
Can I claim compensation for a data breach?
Yes — UK GDPR Article 82 gives individuals the right to claim compensation for material or non-material damage caused by a data breach. This includes distress. Claims can be brought in the civil courts.
📞 Free help and support
ICO: 0303 123 1113 | ico.org.uk
Citizens Advice: 0800 144 8848
National Cyber Security Centre: ncsc.gov.uk
⚠ Important disclaimer: This guide covers data protection rights across the UK as at July 2026. General legal information only — not legal advice. Verify with ACAS, GOV.UK or Citizens Advice before acting. ukworkrights.co.uk — Not a law firm.