Data Breach & ICO Complaint Checker UK 2025 — Your Rights Under UK GDPR
Under the UK GDPR and Data Protection Act 2018, organisations must protect your personal data. If they fail — whether through a breach, unlawful processing, or refusal to honour your rights — you can complain to the Information Commissioner’s Office (ICO) and may be entitled to compensation. This checker explains your rights and how to exercise them.
UK GDPR rights: Subject Access Request must be fulfilled within 1 month (free). ICO complaint: ideally within 3 months of final response from organisation. Compensation claims in county court: 6-year limitation. ICO cannot award compensation but an ICO decision supports a court claim.
UK GDPR Rights at a Glance
| Right | What it means | Deadline for organisation |
|---|---|---|
| Right of access (SAR) | Copy of all your personal data | 1 month (extendable to 3) |
| Right to rectification | Correct inaccurate data | 1 month |
| Right to erasure | Delete data in certain circumstances | 1 month |
| Right to restrict processing | Limit how your data is used | 1 month |
| Right to data portability | Receive data in machine-readable format | 1 month |
| Right to object | Object to processing (incl. direct marketing) | Must stop direct marketing immediately |
| Automated decision rights | Human review of automated decisions | On request |
Subject Access Requests — Practical Guide
A Subject Access Request (SAR) is one of the most powerful tools available to individuals. You can request it from any organisation — employer, ex-employer, GP, hospital, bank, insurer, landlord, school, or any other data controller. The organisation must provide: a copy of all personal data; information about the purposes of processing; the categories of data held; any recipients the data has been shared with; and the retention period.
Practical tips: send the SAR by email or recorded letter to the organisation’s Data Protection Officer (or general contact if no DPO); be clear it is a Subject Access Request under UK GDPR; include enough information to identify yourself; set a calendar reminder for 1 month after sending. If they fail to respond within 1 month without a valid reason (complex request requiring up to 3 months), complain to the ICO.
Data Breach Notification Rights
If an organisation suffers a personal data breach that risks your rights and freedoms, it must notify the ICO within 72 hours and notify you “without undue delay”. You do not have a right to be notified of all breaches — only those likely to result in a high risk to your rights. However, if you discover a breach affecting you (e.g. via a news report or dark web alert), you can request confirmation from the organisation and complain to the ICO.
Compensation — Court Claims
The ICO cannot award you compensation — only investigate and fine the organisation. For compensation, you must go to court (county court for most claims). Court claims can be made for material damage (financial loss) and non-material damage (distress, loss of control of your data, reputational damage). Courts have awarded sums ranging from a few hundred pounds for minor distress to tens of thousands for serious breaches involving sensitive data.
Frequently Asked Questions
Generally no. Employers must fulfil SARs like any other data controller. However, they can redact third-party personal data (e.g. names of colleagues) if disclosure would reveal that person’s data. They cannot withhold data about you simply because it is embarrassing or relevant to a dispute. Refusing to fulfil a SAR is a breach of UK GDPR. Complain to the ICO and note that SAR data can be valuable evidence in employment tribunal proceedings.
Under the Privacy and Electronic Communications Regulations (PECR), organisations can send marketing emails to existing customers without separate opt-in consent (the “soft opt-in”) if: the email address was collected during a sale or negotiation; the marketing is for similar products or services; and an opt-out was offered at the time of collection and is offered in every subsequent message. Cold marketing emails to people who have not opted in are generally unlawful.