Data Governance Toolkit: Your Rights Under UK GDPR

1. Introduction

Data governance is about ensuring organisations handle your personal information lawfully, fairly, and transparently. Under the UK General Data Protection Regulation (UK GDPR), you have a set of enforceable rights that are powerful tools for accountability.

Contrary to what many organisations suggest, you don't need to wait for their internal processes to finish before exercising your data rights. Acting early protects your evidence, legal position, and timelines.

2. Core Principles of Data Governance (Article 5)

Organisations must comply with these principles when handling your data:

  • Lawfulness, fairness, and transparency: Processing must have a lawful basis and be clear to you.

  • Purpose limitation: Data can only be used for the specific reason it was collected.

  • Data minimisation: Only the minimum necessary data should be processed.

  • Accuracy: Personal data must be accurate and kept up to date.

  • Storage limitation: Data should not be kept longer than necessary.

  • Integrity and confidentiality: Data must be kept secure from breaches.

  • Accountability: The organisation must be able to prove its compliance.

3. Lawful Bases for Processing (Article 6)

An organisation must have at least one of these lawful bases to process your personal data:

  • Consent: You've given clear and unambiguous consent.

  • Contract: Processing is necessary for a contract you have with them.

  • Legal obligation: They are required by law to process the data.

  • Vital interests: It's necessary to protect someone's life.

  • Public task: They are carrying out a task in the public interest or exercising official authority.

  • Legitimate interests: They have a legitimate reason that is not overridden by your rights.

If they can't justify processing under one of these bases, you can challenge its lawfulness.

4. Your Key Enforcement Rights

Under UK GDPR, you have several powerful rights you can enforce. When you're ready to take action, use our professionally structured templates to ensure your request is clear and legally robust.

  • 4.1 Right of Access / Subject Access Request (SAR) (Article 15) This is your right to request a copy of all personal data an organisation holds about you. A well-written SAR can uncover crucial evidence for a grievance or tribunal claim, forcing an organisation to search its records and disclose emails, meeting notes, and internal memos where you are mentioned. They must respond within one month.

    [Use Our Subject Access Request (SAR) Template]

  • 4.2 Right to Rectification (Article 16) You can demand that inaccurate or incomplete personal data be corrected without undue delay. If an organisation has made a defamatory or incorrect statement about you in their records, you can use this right to force them to correct it.

  • 4.3 Right to Erasure / "Right to be Forgotten" (Article 17) This is your right to have your personal data deleted in specific circumstances. It is not an absolute right and can be refused if the organisation needs the data for the establishment, exercise, or defence of legal claims.

  • 4.4 Right to Restrict Processing (Article 18) This is your right to "freeze" your data. If you believe your data is inaccurate or is being used unlawfully, you can request that its processing be restricted. This legally requires the organisation to preserve the data as-is but prevents them from using, altering, or deleting it.

    You can use this right on its own or combine it with a request to correct inaccurate data (Rectification). This is a powerful strategic move during a dispute.

    [Use Our Template to Request Rectification & Restriction]

  • 4.5 Right to Notification (Article 19) If an organisation rectifies, erases, or restricts processing of your data, they must communicate that change to any third parties they have shared your data with, unless it proves impossible or involves disproportionate effort.

  • 4.6 The Legal Duty to Preserve Evidence ("Litigation Hold") Separate from GDPR, there is a fundamental legal principle that once a party knows a formal dispute is likely, they have a duty to preserve all relevant evidence. Deliberately deleting relevant records can have serious legal consequences for an organisation.

    • Strategic Tip: In your grievance or appeal letter, include a sentence stating: "Please ensure all data relevant to this matter is preserved pending the outcome of this formal process and any potential future legal proceedings."

5. What to Do If They Ignore or Refuse Your Request

  1. Challenge Them: Send a formal written response, citing the specific GDPR articles you believe they have breached.

  2. Escalate to the ICO: If you're still unsatisfied, you can complain to the Information Commissioner’s Office (ICO) within three months of the organisation's last meaningful response. You can file a complaint at

6. Final Note: These Are Your Rights, Not Requests

The tools in this guide, from a Subject Access Request to a formal Preservation Notice, are not polite requests—they are your legal entitlements under UK law.

Exercising your data rights is a powerful and strategic way to create transparency, secure evidence, and hold organisations accountable. An organisation's response to a formal data rights request is often a clear indicator of their culture and how seriously they take their legal duties. Use these rights to protect yourself and ensure your personal data is handled with the care the law demands.