Jan 28, 2023

Data Protection Act 2018: Your Rights and How to Enforce Them

The rights everyone has under the Data Protection Act 2018 and how to enforce them.


The The Data Protection Act 2018 transposed the EU's General Data Protection Regulation (GDPR) into UK national legislation. All organisations that collect and make use of personal data ("controllers") are required to follow rules set out in the legislation called "data protection principles". Controllers must ensure that the information is:

  • Used fairly, lawfully and transparently.
  • Used for purposes that have been explicitly specified
  • Used in a manner that is limited to only what is strictly necessary.
  • Accurate and kept up to date where necessary.
  • Kept for no longer than is necessary.
  • Stored and handled in a way that ensures security and protection against unauthorised access.

Controllers have to be particularly vigilant in ensuring that the processing of personal data relating to special categories under the UK GDPR is compliant. Special category data includes, among other things, information relating to a data subject's religious beliefs and political opinions.

The Data Protection Act 2018 affords everyone the following rights.

You have the right to:

  • Access the information a company holds about you.
  • Ask a company to correct information you think is incorrect.
  • Be informed about how information about you is being processed and used.
  • Ask a company to erase information it holds about you.
  • Ask a company to stop or limit the processing of your information.
  • Get access to your information and reuse it for different purposes (data portability).
  • Raise an objection to how your information is used in certain situations.
  • Be protected from automated decision-making.
  • Intervene in the case of automated decision-making.

How can I enforce my rights?

Companies are obliged to share their data protection officer's contact details. If you are worried about how a company is handling your sensitive personal data, or should you wish to make a request with respect to your personal data, directly contacting the company's data protection officer is the place to start. You can ask for a copy of the information the organisation holds about you. If the company does not have a data protection officer, or you are unsure about who to write to, address your letter to the company secretary.

How long should it take to hear back?

The organisation must give you a copy of the information they hold about you as soon as possible, and within one month at most.

In certain circumstances, for example in the case of a particularly complex or multiple requests, the organisation is allowed to take a further two months before getting back to you with the information. If this is the case, the organisation must inform you within one month about the delay and the reason for it.

Will I be asked to pay?

In most cases, requests for information will be free of charge. However, organisations are permitted to charge an administrative fee if you are asking for a large amount of information or your request will take a lot of time to process.

Can my request be declined?

There are certain circumstances where the organisation can withhold information from you. This can happen if the information relates to:

  • The prevention, detection or investigation of a crime.
  • National security or the armed forces.
  • The collection of tax.
  • Judicial or ministerial appointments.

Although this may sound surprising, an organisation does not have to disclose why certain information is being withheld.

What if my request is ignored?

If your request is ignored and you believe you have a valid claim, you should lodge a complaint with the Information Commissioner's Office (ICO). Lodging a compliant is straightforward and can be done through the ICO's website. If you submit a complaint, you will need to provide the ICO with the following information:

  • Copies of any letter or emails between you and the organisation that contain details of your complaint;
  • Any evidence that shows that the organisation has not complied with data protection law;
  • And a letter of consent from the person the complaint is about, if you are complaining on someone else’s behalf.

Make sure that you provide the information required by the ICO. Otherwise, the progress of your complaint may be delayed.

What can the ICO do?

The ICO will consider complaints and assess whether the organisation has breached data protection law. The regulatory body will share information on what they think should be done next. Where there is cause for concern, the ICO can make recommendations to organisations to put things right and ask the organisation to explain how they have ensured compliance with the provisions of the Data Protection Act 2018 with respect to the handling of your data. Where there are significant concerns about the legality of conduct, the ICO can take regulatory action.

What the ICO cannot do

The ICO is not a court or tribunal. It cannot award compensation, even where the body makes a finding that there has been a breach of data protection law. This is without prejudice to your legal right to claim compensation from the company if you have suffered damage as result of its breaking data protection law.

Remember that you do not have to make a court claim to obtain compensation for potential damage caused. The organisation may simply agree to pay it to you. If out-of-court settlement is not successful, then your next step would be to apply to a court.

The body cannot process complaints that do not relate to personal information. The information must relate to an individual. The ICO will usually not deal with complaints where there has been an undue delay of three months or more with respect to bringing the conduct to the ICO's attention. Make sure you submit a complaint in a timely manner.

How long will it take to hear back from the ICO?

The ICO aims to allocate complaints within three months of receipt. Unfortunately, the ICO does not provide a timeframe for expected completion. However, the body does try to deal with complaints as soon as possible.

What are the possible outcomes?

There are several potential outcomes for a complaint lodged with the ICO:

  • A finding that the organisation has acted in accordance with the law. No further action will be required from the ICO.
  • The ICO may record and store your complaint to help build a portfolio of how a particular organisation is complying with the law before any further action is taken.
  • The ICO can ask the organisation to provide you with a copy of the information requested or ask of the organisation that more work is done to help resolve your complaint.
  • The ICO can make recommendations to the organisation with respect to improving data protection practices. Possible recommendations include but are not limited to a review of policies and standards.
  • In the most serious of cases, the ICO can take regulatory action against the infringing organisation. As a rule of thumb, the ICO will use its formal powers in cases where there has been an accumulation of complaints.

What if I am not happy with the ICO's decision?

If you disagree with the outcome of the complaint, you can ask the ICO to do a case review. This will involve a reviewing officer going over the complaint and looking at how it was handled. The reviewing officer will come back to you with their findings within 30 calendar days.

The UK Data Protection framework provides an effective mechanism for enforcing your data privacy rights and raising complaints. Make sure you exhaust all your available options prior to seeking recourse before a court or tribunal.

Subscribe for  lupdates (legal updates)

Join our mailing list for the latest updates from The Legal Blog