Data Protection – Rights of an individual as to their personal data


Since the United Kingdom left the EU, the relevant data protection law is the Data Protection Act 2018. This incorporates the EU GDRP directly into UK law and is known as the UK GDPR (“UK GDPR”). Brexit has not led to any substantial change to data protection laws in the UK.

Personal data

The UK GDPR defines personal data as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

ICO guidance states that personal data that has been pseudonymised (that means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information) can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.


The UK GDPR defines processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

As such obtaining, recording or simply holding personal data would be considered processing.


Under the UK GDPR, individuals have a number of specific rights as to the storing or processing of their personal data. These are set out below.

Right to information

You may request from us (i) the purposes that we process personal data (ii) the retention periods for personal data and (iii) with whom personal data is shared with (“Privacy Information”). It is likely that your request is answered by our  Data Protection and Privacy Policy.  However, in the unlikely event that this does not answer your question, please contact the Data Protection Officer at and we will provide the requested Privacy Information within a reasonable period and no later than one month (unless there are grounds for refusal – see below).

Refusal to a request We will only refuse to grant a request for Privacy Information where the request would involve a disproportionate effort, it would be impossible or such would render impossible or seriously impair the achievement of the objects of processing.

Subject Access Request/Right of access

Under the right of access (often referred to as a Subject Access Request) individuals have a right to know where, how and in what manner their personal data is being stored or otherwise processed and to be informed of the same .

The reason for this right is to enable data subjects to have an awareness of the personal data stored or otherwise processed and allow them to verify the lawfulness of such processing.

Data subjects who wish to make a Subject Access Request must provide proof of ID and address (e.g. a copy of a passport and a recent utility bill). Data subjects are encouraged to use the form at when making the request to allow for speedy resolution.

Where data subjects make a Subject Access Request, the Data Protection Officer shall provide a copy of the information within one month of the request free of charge.

Refusal to grant a SAR The DPO may refuse to comply with a Subject Access Request where (i) the request is manifestly unfounded (ii) manifestly excessive. This decision shall be made by the Data Protection Officer together with a partner of Saint and Co.  If this decision is made, you will be informed as to the reasons why and your right to make a complaint to the ICO and/or to seek to enforce this right through the courts.

Suspicious activity Where a suspicious activity report has been made to the National Crime Agency, this would fall outside the scope of the right of access and a tipping off offence could be committed by providing such information.

Right to rectification

The right to rectification is a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. Requests can be made verbally or in writing and we shall respond and rectify the inaccurate personal data within one calendar month.

In some cases there may be a disputed opinion. For example a client may be in dispute with us over a particular figure in a personal tax return. Where a client may try to force it to be changed with the right to rectification, as long as the record notes that it is an opinion and whose opinion it is it would be difficult to say it is inaccurate and needs to be rectified. You will note our obligations under the ICAEW Code of Ethics not to be associated with misleading information (Section 110.2).

If we refuse to comply with a request for rectification we will inform the individual about the reasons we are not taking action, their right to make a complaint to the ICO and their ability to seek to enforce this right through a judicial remedy. This is a decision that the Data Protection Officer will make in consultation with a partner.

Right to erasure/right to be forgotten

The right to erasure (or right to be forgotten) introduces a right for individuals to have personal data erased. This is not an absolute right however and only applies in certain circumstances.

Where we are relying on consent as our lawful basis for holding the data and the individual withdraws their consent, we shall erase the data without delay and in any case within one month. This may be relevant where individuals have signed up to receive newsletters or marketing information from us.

The right to erasure does not apply if processing (including holding the data) is necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims. Where a firm is holding records in line with statutory or regulatory obligations as per ICAEW’s document retention helpsheet or the CCAB Anti-Money Laundering guidance for the accountancy sector with respect to Client Due Diligence (CDD), we will not have to erase relevant personal data unless the specified retention periods have been exceeded.

Refusal to comply with a request for erasure If we refuse to comply with a request for erasure,  we will inform the individual about the reasons we are not taking action, their right to make a complaint to the ICO and their ability to seek to enforce this right through a judicial remedy. This is a decision that the Data Protection Officer will make in consultation with a partner.

Right to restrict processing

An individual can make a request to restrict processing verbally or in writing and we have one month to respond to such requests. The aim is to give individuals a right to limit the way an organisation uses their data.

An individual has a right to restrict processing where:

  • They contest the accuracy of data and we are verifying the accuracy of the data;
  • The data has been unlawfully processed;
  • We no longer need the data but the individual needs you to keep it in order to establish, exercise or defend a legal claim (personal data still shouldn’t be kept longer than necessary to meet this requirement however); or
  • Where we have used legitimate interests as the lawful basis for processing, the individual has objected and we are considering whether we have legitimate grounds to override those interests of the individual.

Restricting processing is not the same as the right to erasure and personal data may still be stored. In order to assist in restricting processing, we would still be able to temporarily move the data to a separate storage system or make the data unavailable to users for example.

Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It would commonly apply therefore to individuals wanting a download of their mobile phone usage, music streaming history or online shopping purchases from a particular retailer.

This right only applies to personal data:

  • an individual has provided to a controller;
  • where the processing is based on consent or for the performance of a contract; and
  • when processing is carried out by automated means.

It is unlikely that this right will therefore be of relevance to us as it would be rare for us to be relying on consent and would only apply on the basis of a contract where the data subject was a party to that contract.

Right to object

Individuals have the right to object to processing in certain situations. This could be the right to object to direct marketing. If an individual objects to direct marketing we must stop processing their personal data for such purposes as soon as we receive the objection. There are no exceptions and no grounds for refusal.

An individual may also object to processing which is based on legitimate interests. To continue processing, we must be able to demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the individual or the processing must be for the establishment, exercise or defence of legal claims. This is a decision that  the Data Protection Officer will make in consultation with a partner .

Reviewed and updated April 2024