Skip To The Main Content

Guide to the eight rights of Individuals

The eight rights  of all individuals will be a key part of the new regulation for general data protection (GDPR) when it  comes into force in May 2018. These eight rights are to protect  individuals when a business processes their personal data. The rights are a combination of new rules and other regulations that currently exist under the Data Protection Act (DPA).

There is a lot of information for businesses to  find out about. This guide aims to explain the eight rights, how and when you must comply with them, and what else important to know.

Guide to the eight rights of  Individuals

1. The right to be informed

This right is concerned with informing an individual how and why you’re using their personal data. You should provide details of processing information, typically, through a privacy notice. The details of the information that you must provide, is dependent on whether or not you obtained the personal data from the individual directly or from a third party.   General information  that you should always provide include  who you are, what you’ll be doing with the info, and who you’ll share it with. Details should also include:

  • The controller’s (most likely you) identity and contact details, as well as those of your data protection officer, if you have one.
  • The purpose of the processing and your interest in using the data
  • Your data retention period or the criteria you apply to determine your retention periods
  • That the individual has a right to withdraw their consent, where relevant
  • How the individual can withdraw consent and lodge a complaint, if they wish to do so

All information should be easy for individuals to access and provided free of charge. It should also be written in a way that is  clear, concise and easy to understand, especially if you’re sending it to a child. 

It’s important to know that:

If you’ve obtained personal data directly from the subject, you should supply the required information immediately. However, if you’ve obtained it indirectly you can usually provide it within a reasonable period (within one month). If you want to disclose the data to another recipient or if you want to use the data to communicate with the individual, you have to provide the information on or before the disclosure or before the communication.

2. The right of access

This is concerned with providing individuals with access to their data to confirm it’s being processed, making them aware of what information is being used, and allow them to verify that the processing is lawful. Upon request, you should provide data:

  • Free of charge
  • Within one month of an individual requesting it. You can, however, extend this by a further two months if requests are complex or you have many to deal with. If you do this, you should inform the individual within one month and give them a good reason why you need an extension.
  • In an electronic format if the request is made electronically

It’s important to know that:

If you think a request is “manifestly unfounded or excessive”, for example because the request is  repetitive, you can charge the individual a reasonable fee, considering your administrative costs, or you can refuse to respond. If you refuse, you must explain to the individual why, and inform them they can complain to the Information Commissioner’s Office (ICO).

3. The right to rectification

Sometimes referred to as the right to have information corrected, this is concerned with the individual being entitled to having their data rectified – if it’s inaccurate, out of date or incomplete. If an individual makes a request for rectification, you should:

  • Inform the individual about third parties you have sent their data to where appropriate
  • Inform those third parties that the data is being rectified, where possible
  • Comply with a request for rectification within one month. This can be extended by two months if a request is complex.

It’s important to know that:

If you decide not to take action following a request for rectification, you should explain why to the individual. It’s important to also inform them that they can complain to the ICO or bring a complaint before a court.

4. The right to erasure

Also known as the right to be forgotten, this is concerned with an individual’s right to request to have their data removed when there’s no reason to continue processing it. You should also inform third parties, which you’ve sent their data to, that you’re erasing it, unless it’s impossible or will involve a disproportionate effort.

However, the individual’s right to be forgotten is only under specific circumstances. This includes:

  • Where processing data is no longer necessary for the purpose it was first collected
  • When an individual has objected to having their data processed or has withdrawn consent
  • If the data was unlawfully processed, so is in breach of GDPR

It’s important to know that:

In certain circumstances, you can refuse a request to erase an individual’s data. This includes if it’s being processed to comply with a legal obligation for performing a task that’s been carried out in the public’s interest. Other examples include refusal for public health purposes, or the exercise of legal claims.

The right also is not limited to processing that causes the individual damage or distress, as current per Data Protection Act guidelines. However, any damage or distress caused is likely to make an individual’s case for erasing their data stronger.

5. The right to restrict processing

This means the individual has the right to block or suppress the processing of their data. You should restrict data processing for different reasons, including: 

  • When an individual contests the accuracy of their data. You should restrict processing until accuracy is verified
  • When an individual has objected to the processing
  • If you no longer need the data, but the individual needs it to establish or defend a legal claim

You should inform all third parties to whom you have disclosed the personal data, about restricting the processing.. You should also inform the individual if you decide to lift a restriction on processing

It’s important to know that:

When processing is restricted, you’re allowed to store that data but not process it any further. You can also retain enough information to ensure a restriction is respected.

6. The right to data portability

This is concerned with allowing an individual to obtain and safely reuse their data across different services for their own purposes. An example of when they might want to do this includes using their data on a price comparison website, or to help understand their spending habits. You should provide data:

  • Within one month, free of charge
  • In a structured and machine-readable format. This means that software can extract specific elements of information, allowing other organisations to reuse the data at the individual’s request

It’s important to know that:

The right to data portability only applies  where the individual in question has provided the data,  if processing is based on the individual’s consent or to perform a contract and also when processing is done by automated means.

7. The right to object

This means an individual has the right to object to their data being processed. This is concerned with processing being based on three areas:

  • Legitimate interest, or performing a task in the public interest or an exercise of official authority, including profiling
  • Direct marketing
  • For purposes of scientific/historical research and statistics

For each of the three areas the individual has different rights. For instance, you should stop processing data for direct marketing purposes as soon as you receive an objection and deal with it free of charge. When processing for legitimate interest, however, you should stop unless the processing is being done to establish or defend a legal claim, or if you can demonstrate there are legitimate grounds for it, which overrides an individual’s interests and rights.

In cases of legitimate interest and direct marketing, it’s important to inform an individual they have a right to object to processing when you first communicate with them. This should be presented clearly and separately from other information.

It’s important to know that:

When an individual objects to processing that’s based on legitimate interest or research, they should have “grounds relating to their particular situation” for their request to be accepted. When processing concerns research, you’re also not required to comply with an objection where the processing is necessary for the performance of a public interest task

8. Rights in relation to automated decision making and profiling

This means an individual has the right not to be subject to a business’s automatic decision making in certain circumstances. It’s concerned with a business providing safeguards for an individual against the risk that it might make a potentially damaging decision, without human intervention. The right “not to be subject to a decision” applies when it’s:

  • Based on automated processing
  • Produces a legal effect or a similarly significant effect on an individual

For an individual to have this right, you must ensure that they can obtain human intervention and express their point of view. You should also ensure they’re able to receive an explanation about an automated decision and challenge it.


The GDPR states that profiling is any form of automated processing which is used to analyse or evaluate an individual’s personal details. This includes their health, behaviour, personal preferences, performance at work, economic situation, and where they live. When processing data for profiling, you must  ensure:

  • It’s fair and transparent by providing meaningful information, including the significance and expected consequences
  • That you implement measures so you can correct inaccuracies and minimise the risk of errors
  • That personal data is secure in a manner that is proportionate to the risk to the rights and freedoms of individuals and to prevent discriminatory effects.

Automated decision making that involved special categories of personal data or children, is only allowed under certain conditions which include explicit consent or processing necessary for reasons of substantial public interest.

It’s important to know that: 

The right not to be subject to a decision does not apply to all automated decisions. This includes when it’s necessary for entering into or performing a contract between you and the individual, and if it’s been authorised by law, such as for preventing fraud or tax evasion.

Providing GDPR support for your business

Understanding individuals’ eight rights is just one important part of being ready for GDPR. From taking on new business responsibilities, to the time and costs needed to apply the rights to your customers, there’s a lot to think about – you can learn more in our blog, How to prepare for GDPR. It’s wise to get as much support as you can.

At FSB, we support members with advice and guidance so they can be ready for GDPR when it comes into force next year. This includes: 

  • A telephone advice service for general GDPR  advice
  • Online GDPR fact sheets and checklists for small businesses
  • Instructional videos, including a GDPR overview

If you’d like to find out more about how we can help your business with GDPR compliance, please visit our FSB Legal Hub and FSB Cyber Protection pages. The services are included as standard with our Business Essentials package. Please take a look at our package comparison page to find out about the benefits of this package and our others.

FSB Legal Hub from FSB

Factsheets and downloads for: Employment Law, Taxation Matters, Business Law and Health & Safety information. All free. As well as monthly bulletins.

Find out more