Where can I get free legal advice on Data & Privacy?

Citizens Advice provides free, independent advice on a wide range of legal issues including data & privacy. Visit citizensadvice.org.uk or call 0800 144 8848.

Do I need a solicitor for Data & Privacy issues?

For complex data & privacy matters, legal advice from a qualified solicitor is strongly recommended. Many solicitors offer a free initial consultation. Find one via the Law Society at lawsociety.org.uk.

Data & Privacy

Data Protection & Privacy Law UK 2025 — Your GDPR Rights Explained

Last reviewed: May 2025 — Information applies to England and Wales

Your rights under UK GDPR and the Data Protection Act 2018. Subject access requests, data breaches, ICO complaints, and online privacy explained.

Data Protection Law in the UK

Since Brexit, UK data protection law is governed by two main instruments: the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The UK GDPR closely mirrors the EU GDPR but applies in Great Britain (Northern Ireland is subject to different rules due to the Windsor Framework). The Information Commissioner's Office (ICO) is the independent supervisory authority responsible for enforcing data protection law in the UK.

Your Rights Under UK GDPR

The UK GDPR gives individuals eight fundamental rights in relation to their personal data:

Right to be informed — organisations must tell you clearly who they are, why they are processing your data, and how long they will keep it (usually in a privacy notice).
Right of access — you can request a copy of all personal data an organisation holds about you (a Subject Access Request or SAR). Organisations must respond within one calendar month.
Right to rectification — you can ask for inaccurate data to be corrected or incomplete data to be completed.
Right to erasure — also known as the "right to be forgotten". You can ask for your data to be deleted in certain circumstances, such as when the data is no longer necessary or you withdraw consent.
Right to restrict processing — you can ask an organisation to pause processing your data while a dispute is being resolved.
Right to data portability — you can receive your data in a structured, machine-readable format and transfer it to another provider.
Right to object — you can object to processing based on legitimate interests or for direct marketing. Marketing objections must be honoured immediately.
Rights related to automated decision-making — you have the right not to be subject to decisions made solely by automated means if they significantly affect you, such as automated credit scoring.

Lawful Bases for Processing Personal Data

Under Article 6 of the UK GDPR, organisations must have a lawful basis for processing your personal data. The six lawful bases are:

Consent — must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count as valid consent.
Contract — processing is necessary for a contract with you, or to take steps prior to entering one.
Legal obligation — processing is required under UK law.
Vital interests — processing is necessary to protect someone's life.
Public task — processing is carried out in the public interest or under official authority.
Legitimate interests — a flexible basis where the organisation's interests are balanced against your rights. Must be assessed on a case-by-case basis.

Making a Subject Access Request (SAR)

You have the right to ask any organisation that processes your personal data to provide you with a copy of that data. Your request should be in writing (email is fine), clearly identify yourself, and specify what data you want. The organisation must respond within one calendar month. The response is free of charge in most cases, though a reasonable fee can be charged for manifestly unfounded or excessive requests. Organisations can refuse to comply in limited circumstances — for example, where disclosure would adversely affect the rights of others.

If you believe an organisation has breached your data rights, use our Data Breach Complaint Checker to assess your options.

Data Breaches — Your Rights as a Victim

A personal data breach is any security incident that affects the confidentiality, integrity, or availability of your personal data. This includes unauthorised access, accidental disclosure, or ransomware attacks. Under UK GDPR, organisations must report certain breaches to the ICO within 72 hours of becoming aware of them, and must notify affected individuals "without undue delay" where there is a high risk of harm.

If you have been affected by a data breach, you may be entitled to compensation under Article 82 UK GDPR if you have suffered material damage (financial loss) or non-material damage (distress). You can bring a claim in the civil courts. Many data breach claims are handled on a no-win no-fee basis by specialist solicitors.

Cookies and Online Tracking

The use of cookies and similar tracking technologies is regulated by the Privacy and Electronic Communications Regulations 2003 (PECR), which work alongside UK GDPR. Websites must obtain your informed consent before placing non-essential cookies (such as analytics or advertising cookies) on your device. Strictly necessary cookies — those required for the website to function — do not require consent. Cookie consent banners must offer a genuine choice and must not use dark patterns (such as making the "reject" option harder to find).

Direct Marketing Rules

Under PECR, businesses must not send you unsolicited marketing emails, texts, or automated calls without your prior consent (the "opt-in" rule). The Telephone Preference Service (TPS) and Corporate TPS allow individuals and businesses to opt out of live marketing calls. You have an absolute right to object to any direct marketing addressed to you — organisations must stop immediately on receiving a valid objection.

The Information Commissioner's Office (ICO)

The ICO is the UK's independent supervisory authority for data protection. If you believe your data rights have been violated, you can complain to the ICO online at ico.org.uk. The ICO can investigate complaints, issue enforcement notices, and impose fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious breaches. The ICO also provides guidance and resources for both individuals and organisations.

Frequently Asked Questions

How do I make a Subject Access Request?+

Write to the organisation (email is fine), state you are making a SAR under UK GDPR Article 15, and describe the data you want. The organisation has one calendar month to respond. Most responses are free of charge.

Can I claim compensation for a data breach?+

Yes, under Article 82 UK GDPR, if you have suffered material damage (e.g. financial loss or identity theft) or non-material damage (e.g. distress or anxiety) as a result of a data breach, you can claim compensation in the civil courts. Many solicitors handle these cases on a no-win no-fee basis.

Can I ask a company to delete my data?+

Yes, this is the "right to erasure" under UK GDPR Article 17. It applies where the data is no longer necessary, you withdraw consent, you object and the organisation has no overriding legitimate grounds, or the data was processed unlawfully. It does not apply where processing is required by law.

What should I do if I receive unwanted marketing emails?+

You can unsubscribe using the link in the email, or write to the company and object under your UK GDPR right to object to direct marketing. If they continue, you can report them to the ICO at ico.org.uk.

Data Protection & Privacy Law UK 2025 — Your GDPR Rights Explained

Data Protection Law in the UK

Your Rights Under UK GDPR

Lawful Bases for Processing Personal Data

Making a Subject Access Request (SAR)

Data Breaches — Your Rights as a Victim

Cookies and Online Tracking

Direct Marketing Rules

The Information Commissioner's Office (ICO)

Frequently Asked Questions

Related Calculators & Guides

Compensation Calculator

Redundancy Pay

PIP Eligibility

Inheritance Tax

Employment Law Guide