We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Consumer Rights.

Updated: 5 Mar 2021

Data Protection Act 2018 (GDPR)

The Data Protection Act 2018 brought the EU's General Data Protection Regulation (GDPR) into UK law. It governs your personal data rights, including the way companies handle your data and the compensation you can claim for misuse of your data.
Which?Editorial team
Data Protection Act 2018 (GDPR)

What is GDPR and how does it affect you?

The General Data Protection Regulation (GDPR) is a set of EU-wide data protection rules that have been brought into UK law as the Data Protection Act 2018.

Here, we explain some of the most important rights you have to control your data, how these data protection rights could affect you and how you can use them.

Key Information

Will my data rights change when the UK leaves the EU?

The Data Protection Act 2018 remains in place to protect your personal data. All the rules still apply, but once the transition period comes to an end the UK government will be free to change those rules.

Read our Brexit guide for more information on how the UK leaving the EU could impact protection of your personal data.

Collecting your personal data

When you buy goods and services, or sometimes even just visit a website, the organisations you deal with may collect and process information about you.

This might include your name, address, and telephone number. This type of data, which is capable of identifying a living individual, is called 'personal data'.

Organisations may even ask for data like your date of birth, the school you went to, the job you do, details about your partner or family or the sorts of things you view or buy online.

Like it or not, many organisations, including councils, hospitals, travel companies, banks and supermarkets hold data about you.

GDPR adds in a new range of personal identifiers, reflecting changes in technology and the way companies gather data today.

Online identifiers, such as your IP address, are now included within the definition of personal data.

Read our guide on what counts as personal data if you'd like to know more.

Find your data - subject access requests

The right to make a subject access request existed under the former Data Protection Act 1998.

A subject access request allows you to act on your right to obtain access to your personal data being processed by a company.

Previously you had to pay a small fee to make one, but under the Data Protection Act 2018, it now has to be free of charge in most circumstances.

You might make a subject access request if you think that a company is not processing your data lawfully or to check what information they have about you to ensure it’s accurate and up to date or to ask for job interview notes.

Companies have to provide you with the information without delay and at the latest within one month of receiving your request.

This is shorter than the previous 40-day timeframe. However, companies are allowed to extend the period by a further two months if the request is complex or if you have made numerous requests.

If this is the case, the company must inform you within a month from the date you made the request and explain why the extension is necessary.

A word of warning: if your request is unfounded or excessive, the controller of the data may charge a fee or refuse to act on the request. If you think the charge is unfair or your request is refused, you can complain to the ICO.

When your consent is needed for marketing

Under GDPR it is usually up to you to make a positive choice to agree to further direct marketing communications by email, such as ticking a box or agreeing over the phone.


Are there any exceptions?

The exception is where you have bought something, given the organisation your details, and did not opt out of marketing messages.

This also applies if you negotiated to buy something, for example by asking for a quote or for more clarity on what it offers, and did not opt out of marketing messages.

In these circumstances, the assumption is that you are probably happy to receive marketing about similar products or services even if you haven’t specifically consented, and the Privacy and Electronic Communications Regulations (PECR) allow organisations to contact you by email for marketing purposes.

Withdrawing your consent should be as easy as giving it. Companies should make it easy for you to do so, for example by providing an unsubscribe link at the bottom of their marketing emails.

If you want companies to stop using your data, make a request to stop processing your data for the purposes of direct marketing.

Data protection: jargon buster

  • Processing is essentially anything that is done to or with personal data. This includes but is not limited to collecting, recording, organising, structuring, storing, adapting, altering, erasing or destroying.
  • A data subject is an identified or identifiable person.
  • A controller determines the purposes and means of the processing of personal data.
  • A processor processes data on behalf of a controller.

Six legitimate reason to process your data

At least one of the following lawful bases set out in Article 6 of  GDPR must apply whenever an organisation processes your personal data:   

  • Consent: you have given the organisation consent to process your personal data for one or more specific purposes.
  • Contract: the processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.
  • Legal obligation: the processing is necessary to comply with a legal obligation which the organisation is subject to.
  • Vital interests: the processing is necessary to protect someone’s vital interests or those of another person.
  • Public task: the processing is necessary to perform a task in the public interest or an official function with a clear basis in law.
  • Legitimate interests: the processing is necessary for the purposes of pursuing the organisation’s legitimate interests or those of a third party, except where those interests are overridden by the interests or rights of the data subject which require protection.

The Information Commissioner’s Office (ICO) breaks this down into a three part test:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

Companies must make it clear to you how your data will be used

Companies should make it clear what they will do with your data, using plain language that’s easy to understand.

The purpose of collecting your personal data (for example, for marketing) must also be made clear to you at the point your data is collected.

You can ask for your data to be erased

GDPR gives you the right to have your personal data erased. The right to erasure is also known as ‘the right to be forgotten’.

You can make a request for erasure verbally or in writing and the company has one month to respond to a request.

Some reasons you might request a company to erasure your personal data are:

  • you no longer need the service (so they should no longer need to hold your data)
  • you're objecting to the company using your data for direct marketing
  • the company is processing your data without your consent

There are some exemptions where the company or organisation can refuse your request.

These include:

  • the right of freedom of expression and information
  • to comply with a legal obligation
  • for the performance of a task carried out in the public interest or in the exercise of official authority
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
  • for the establishment, exercise or defence of legal claims

You can ask for inaccurate information to be corrected

GDPR includes a right that allows you to request inaccurate or incomplete personal data is rectified or made complete.

You can make a request for rectification verbally or in writing and the company has one month to respond to your request.

A company can refuse to comply with your request for rectification if it thinks the request is unfounded or excessive.

You can ask for data in a format that will help you

If you have provided your personal data to a controller and it is being processed by automated means either on the basis of consent or for the performance of a contract, you’ll have the right to request that data in a machine-readable format and the right to have that transmitted to another data controller.

In theory, the right to personal data portability will allow you to move, copy or transfer personal data more easily from one IT environment to another in a safer and more secure way.

This may also enable you to take advantage of applications and services such as price comparison websites, which can use this data to find you a better deal.

You can object to profiling and the use of your data for direct marketing

You now have the right to object to activity from online retailers and companies, including profiling used for direct marketing purposes.

Companies must inform you of your right to object at the point of first communication or in their privacy notice.

In the case of an objection to processing for direct marketing purposes, they must stop processing your personal data for that purpose.

Appeal automated decisions 

GDPR gives you the right in certain circumstances not to be subject to decisions which are based solely on automated processing, and which have a legal or other significant effect on you. Some decisions (such as online credit or e-recruiting) may also be subject to additional controls.

If you object, you can ask for a human to review the automated decision that has been made, but it doesn't necessarily mean the result will be any different.

Read our guide for more information on how automated decision making and profiling work, including what you can do to stop it.

Serious data breaches

If there is a serious breach of your data, you have to be told without undue delay. The GDPR introduced a duty on organisations to report certain types of serious personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours of the organisation becoming aware of it, where feasible.

If there has been a breach, the company should explain to you, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of its data protection officer or other contact point that can provide more information
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.

Where a company hasn’t informed affected individuals, the ICO has the power to compel them to do so if it considers there is a high risk to individuals’ rights and freedoms.

If you become aware that an organisation has lost your personal data, read our guide for steps you can take to protect yourself and, in some cases, claim compensation following a data breach.

Huge fines for companies if they break the rules

In the most severe cases where companies have breached the new rules, the ICO could issues fines up to €20m or 4% of annual global revenue – whichever is higher.

In April 2019 the ICO fined pregnancy and parenting advice service Bounty UK Ltd £400,000 for sharing the personal data of over 14 million individuals to a number of organisations including credit reference and marketing agencies without informing the individuals that they would do this.

Multiple routes to claim compensation

You can in certain circumstances make a claim for compensation for both material and non-material damage including, but not limited to, distress and reputational damage, if your data has been misused or if there has been an infringement of the GDPR.

The GDPR broadened who you can make a claim against. You can claim against the data processor, as well as the data controller.

For example, previously you wouldn’t have been able to claim against a misuse of your personal data by a call centre acting as a processor. Instead you would have had to find out who the controller was that the data processor was handling the data for and make a claim against them. But now you can make a claim against either or both entities.

Compensation can be claimed for damage suffered as a result of a breach, including financial losses and also any distress caused. While you can take both a controller and a processor to court, you can only win once and so won’t be able to recover in full against both entities.