Skip to main content
Book a call — £89
Menu

UK Data Protection Rights for Consumers (2025)

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofConsumer Rights

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Every day, organisations collect information about us. When you buy something online, sign up for a newsletter, use a loyalty card or simply browse a website, someone somewhere is recording data about you. UK law gives you real power over how that information is used, but most people have no idea what they are entitled to ask for. This guide walks you through the rights you hold as a consumer under the UK GDPR and the Data Protection Act 2018. You will see what organisations must tell you, what you can demand from them, and the practical steps for making a request stick. The rules apply whether you are dealing with a high street retailer, a social media platform, your bank or a local tradesperson keeping your details on file.

Overview

Data protection law in the UK sits on two pillars: the UK GDPR (the retained and amended version of the EU General Data Protection Regulation that continues to apply after Brexit) and the Data Protection Act 2018. Together they set out how any organisation, whether a global tech company or a one-person business, must handle personal information about living individuals.

Personal data covers anything that identifies you directly or indirectly: your name, email, phone number, IP address, photos, location data, purchase history, even opinions recorded about you. The law gives you eight individual rights and places duties on organisations to process data lawfully, fairly and transparently.

The Information Commissioner's Office (ICO) is the UK regulator and takes complaints when things go wrong. None of this is optional for businesses, and the rights belong to you by default, you do not need to sign up or pay for them.

Key steps

  1. Find out what an organisation holds about you. Submit a subject access request, often called a SAR. You can do this by email, letter or even a social media message, and you do not have to use a special form or give a reason. The organisation must respond within one month in most cases, and the first copy is free.
  2. Ask for corrections if something is wrong. If the information held about you is inaccurate or incomplete, put your correction in writing with supporting evidence where you have it. The organisation should update the record promptly and tell anyone they shared the wrong data with, so the inaccuracy does not keep spreading through third parties.
  3. Request erasure where appropriate. In certain situations you can ask for your data to be deleted, for example where it is no longer needed, you withdraw consent, or it was processed unlawfully. This right is not absolute, and organisations can refuse if they have a legal obligation to keep the information or need it for a legal claim.
  4. Control how your data is used. You can object to marketing at any time and that objection must be honoured. You can also object to other processing based on legitimate interests, restrict processing while a dispute is sorted out, and ask for your data in a portable format so you can move it to another provider.
  5. Escalate if the organisation does not cooperate. Start with a written complaint to the company's data protection officer or customer service team. If you do not get a satisfactory response within a reasonable period, you can report the matter to the ICO, and in some cases pursue a claim through the courts for compensation.

Common questions

If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Common questions

Q How long does an organisation have to respond to my subject access request?
The standard response time is one calendar month from the date they receive your request. This can be extended by a further two months if the request is particularly complex or you have made several at once, but the organisation must tell you within the first month that they are taking longer and explain why. Delays without good reason can be reported to the ICO.
Q Can a company charge me for making a data protection request?
For most requests the first response must be provided free of charge. A reasonable fee can only be charged where a request is manifestly unfounded or excessive, or where you are asking for further copies of data already provided. If you are told there is a fee, ask for a written explanation of why, and check the current ICO guidance before paying.
Q What counts as personal data under UK law?
Personal data is any information relating to an identified or identifiable living person. That covers obvious things like your name, address and date of birth, but also online identifiers such as IP addresses and cookie IDs, CCTV footage of you, voice recordings, and even pseudonymised data if it can be linked back to you. Anonymous data that cannot identify anyone falls outside the rules.
Q Does the right to be forgotten mean a company must always delete my data?
No, erasure is not an automatic right in every situation. Organisations can refuse deletion where they need the data to comply with a legal duty, to exercise freedom of expression, for public health reasons, for archiving in the public interest, or to establish or defend legal claims. They should explain the reason for refusal, and you can challenge it if you disagree.
Q What can I do if I think my data has been leaked or misused?
Contact the organisation first and ask what happened, what data was affected, and what they are doing about it. Serious breaches should be reported by the organisation to the ICO within 72 hours. You can also make your own complaint to the ICO, and where you have suffered material or non-material damage, you may be entitled to compensation.
Q Do small businesses and sole traders have to follow data protection law?
Yes. The size of the organisation does not matter, if they process personal data about individuals they must comply. Most organisations processing personal data also need to pay an annual data protection fee to the ICO, unless a specific exemption applies. A window cleaner keeping a customer list on their phone is covered just as much as a multinational.
Q Can I stop a company sending me marketing emails and texts?
Yes, you have an absolute right to object to direct marketing at any time, and the organisation must stop. This applies whether they rely on consent or another lawful basis. Every marketing message should also include a clear opt-out. If you continue receiving messages after opting out, keep copies and report it to the ICO, who regulates marketing under PECR as well as the UK GDPR.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.