Go to page content
hero - SAR - desktop
hero - SAR - mobile@2x

Your individual rights under GDPR

GDPR has given people more rights over their personal data than ever before. Find out how to use yours today.

What is GDPR?

GDPR stands for General Data Protection Regulation. It's a set of EU regulations that give people more rights over their personal data, and limits what organisations can do with it.

When it was introduced in 2018, it was a huge step forward for consumer rights. Thanks to GDPR, you now have more rights over your data than ever before.

Jargon buster

Personal data is any information that can identify you, directly or indirectly. For example, your name, preferences or medical history.

Why was GDPR needed?

Before GDPR, there simply wasn’t enough regulation around how personal data was being used by companies. As cases like the Cambridge Analytica scandal showed, many companies were exploiting this opportunity at the expense of individuals.

New laws were needed to protect people's rights, and to keep up with the revolutionary ways in which data was and still is mined.

Many people would argue that GDPR still doesn't go far enough. This is because it's all too common for companies to collect, store and share personal data without full consent.

Is it the same in every country?

GDPR was written in a general way to allow countries to make their own small changes to suit their needs. In the UK, our version is called The Data Protection Act (2018). All of the points that we cover on this page apply to both.

What are my consumer rights under GDPR?

GDPR gives you as an individual much greater control over your own data and secures these eight rights:

  1. The right to be informed: Organisations must be transparent about what they're doing with your personal data.
  2. The right of access: You have the right to know exactly what information is being held about you.
  3. The right of rectification: You're entitled to have personal data corrected if it's wrong or incomplete.
  4. The right to erasure: You have the right to demand your personal data should be removed or deleted.
  5. The right to restrict processing: You have the right to block a company from processing your personal data.
  6. The right to data portability: You have the right to retain and reuse your personal data for your own purposes.
  7. The right to object: In some cases, you have the right to object to your personal data being used at all.
  8. Rights of automated decision making: The law puts safeguards in place to protect you from potentially damaging decisions being made about your personal data without human intervention.

How can I use my eight GDPR rights in practice?

  • You can find out what any company holds on you, by simply sending a Subject Access Request (SAR).
  • You can correct your own personal data if it's wrong or out of date.
  • You can tell a company to erase your personal data. This is also known as the 'right to be forgotten'.
  • You can limit how a company handles your data, for example telling them to delete some of it rather than all of it.
  • Because it belongs to you, you can share or transfer your personal data from one service to another.
  • You can tell companies not to use your data in certain ways, like for marketing purposes.
  • A company needs your explicit consent, a contract, or a legal justification for making a decision about your data without human involvement. If you suspect that they've acted without your consent, you can contact or report them.

What is GDPR compliance?

GDPR compliance means complying to General Data Protection Regulation. Companies that don't adhere to GDPR, who are non-compliant, can face large fines. We've got a fair bit of advice for companies on how to improve their data practices in our blog.

Want to use your GDPR rights?

Clean up your digital footprint today


Absolutely. The purpose of GDPR is to make data practices fairer, which means giving more rights to individuals over their personal data, and placing restrictions on what companies can do with it.

There are a couple of key implications for businesses:

Financial penalties:

Businesses who do not comply with the GDPR regulations can be fined. The fines for noncompliance are: up to $23 million or 4% of annual global turnover. For example, British Airways were fined $230 million in 2018 when the booking details of 500,000 customers were stolen in a cyber attack.

Increased spending on data protection:

For most businesses, the GDPR will require greater compliance spending. Businesses must ensure their operational processes and technology are up to the latest standards and protocols.

An opportunity to build customer trust:

These expenses can result in greater trust and confidence from customers. With personal data usage becoming increasingly seen as negative, with loud media coverage on the bad actions of a few organisations, trust with data is becoming a more valuable asset for businesses.

The seven key principles of GDPR govern how personal data must be handled. This is mainly relevant for business, but they are:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

If you're a business who needs advice about how best to respond to a SAR or write a privacy notice, check out our blog.

GDPR is one of the most comprehensive data protection laws in the world.

Although there are many types of privacy legislation in the world, GDPR is most often compared to the California Consumer Privacy Act (CCPA), which is the first big state-wide privacy legislation in the US and came into effect in early 2020. To see how they compare, you can check out our blog here.

Related Blog Articles

Keeping your data safe