Can a company refuse to delete my data under UK GDPR?

Yes, but only in specific circumstances. Article 17 exemptions cover legal obligations, freedom of expression, public health, public interest archiving, and defending legal claims. The organisation must explain which exemption applies and why. Most refusals from data brokers and marketing companies do not meet the exemption criteria and can be challenged through the ICO or the courts.

How long does a company have to respond to a GDPR rights request?

One calendar month from the day after they receive your request. Extensions of up to two further months are permitted for complex or numerous requests, but the organisation must notify you within the first month and explain the delay. Under the Data Use and Access Act 2025, the deadline pauses if the organisation needs additional information to verify your identity.

Do I need a solicitor to exercise my GDPR rights?

No. You can exercise every UK GDPR right yourself, at no cost, by submitting a written request. The ICO provides free template letters. Solicitors become useful if you escalate to court proceedings for compensation under Section 168 of the Data Protection Act 2018, but small claims track cases under 10,000 pounds are designed for individuals without legal representation.

Can I claim compensation if a company breaches my GDPR rights?

Yes. Section 168 of the Data Protection Act 2018 allows compensation claims for both financial loss and distress. Claims go through the County Court, Small Claims Track, with fees starting from 35 pounds. The 2025 ruling in Farley v Paymaster confirmed no minimum threshold of seriousness applies to distress claims, significantly lowering the bar for individuals.

What is the difference between UK GDPR and EU GDPR?

UK GDPR is the retained EU regulation, incorporated into UK law after Brexit via the European Union (Withdrawal) Act 2018. The core individual rights are identical. UK GDPR is supervised by the ICO rather than EU authorities. The Data Use and Access Act 2025 introduced UK-specific amendments, including changes to automated decision-making protections and a new right to complain directly to controllers from June 2026.

Does UK GDPR apply to companies based outside the UK?

Yes, if they offer goods or services to UK residents or monitor their behaviour. A US-based data broker holding UK individuals' personal data is subject to UK GDPR. Enforcement against overseas companies is harder in practice, but the ICO has taken action internationally, including the 7.5 million pound fine against US-based Clearview AI in May 2022.

How do I find out which companies hold my personal data?

Submit Data Subject Access Requests under Article 15 of UK GDPR to any organisation you suspect holds your data. Start with data brokers like 192.com, credit reference agencies such as Experian, Equifax, and TransUnion, and companies you have interacted with. Each must respond within one calendar month, free of charge, confirming what data they hold and its source.

4 March 2026 · Aaron Barnes-Wilding 19 min read

Your GDPR rights: a complete UK consumer guide (2026)

Most UK residents have no idea how powerful their GDPR rights actually are. I’ve submitted hundreds of rights requests on behalf of clients, and the success rate when you know what you’re doing is remarkably high. The problem is that most people don’t know what they’re doing. And most guides on the subject don’t help.

The typical GDPR rights article lists the eight rights, quotes a few articles of legislation, and sends you to the ICO website. That is not what this guide does. This covers what each right means in practice, how organisations actually respond, and what to do when they refuse. Written from direct experience as an OSINT investigator who exercises these rights professionally.

UK GDPR gives individuals eight distinct rights over their personal data. The legislation sits within the European Union (Withdrawal) Act 2018, supplemented by the Data Protection Act 2018. Since the Data Use and Access Act 2025 received Royal Assent on 19 June 2025, several of these rights have been modified.

Not all eight rights are equally useful. Some are genuinely powerful and widely enforceable. Others are situational. One of them is, for most consumers, practically irrelevant. Understanding which is which saves you time and gets better results.

I’ve ordered them by practical usefulness rather than article number.

The right to object to direct marketing (Article 21)

This is your single most powerful GDPR right. Most people have never heard of it.

Under Article 21 of UK GDPR, you have an absolute right to object to the processing of your personal data for direct marketing purposes. Absolute means exactly that. No balancing test. No “legitimate interests” argument the organisation can deploy. No exceptions whatsoever. They must stop the moment you object.

Why does this matter so much? Because most data brokers and marketing companies rely on “legitimate interests” as their lawful basis for processing your data. When you object to direct marketing, that basis collapses entirely. If they have no other lawful basis for holding your data, they must delete it.

I’ve used Article 21 objections to force data brokers to delete records they initially refused to erase under Article 17. The objection route bypasses the exemptions that organisations hide behind when you submit a straightforward erasure request. If a company is using your data to sell you things, or selling your data to companies that want to sell you things, Article 21 is the right to reach for first.

How to use it: State clearly in writing that you are exercising your right under Article 21 of UK GDPR to object to the processing of your personal data for direct marketing. Include your full name, address, and any customer or reference numbers. The organisation must comply without charge and must do so promptly.

The right to erasure (Article 17)

Article 17 is the right most people think of first. The “right to be forgotten,” as the media calls it (the legislation does not use that phrase). It works, but with more conditions than most people expect.

You can request erasure when:

The data is no longer necessary for its original purpose
You withdraw consent (where consent was the lawful basis)
You object under Article 21 and there are no overriding legitimate grounds
The data was processed unlawfully
Erasure is required to comply with a legal obligation
The data was collected from a child for an online service

But the right is not absolute. Organisations can refuse if processing is necessary for freedom of expression, legal obligations, public health, public interest archiving, or establishing, exercising, or defending legal claims.

That last exemption is the one organisations abuse most frequently. I’ve seen companies claim they need to retain personal data “in case of future legal claims” with no specific claim in prospect and no realistic likelihood of one arising. This is not what the exemption is for. The ICO’s guidance makes this clear. But companies try it regularly, banking on the assumption that most people won’t push back.

In practice, erasure requests work well against data brokers and marketing companies. They work less well against companies you have an ongoing relationship with (banks, employers, HMRC), but that is usually because those organisations have a separate lawful basis for holding your data, not because the right itself is weak.

Response deadline: One calendar month from the day after receipt. Extendable by two further months for complex or numerous requests, but they must inform you within the first month and explain the reason.

For a detailed, broker-by-broker guide to submitting erasure requests to UK data brokers, I’ve covered the full process in my guide to data removal services in the UK.

The right of access (Article 15)

A Data Subject Access Request (DSAR) is often the best starting point. Before you can ask a company to delete your data, you need to know what they actually hold.

Under Article 15, you have the right to:

Confirm whether an organisation processes your personal data
Obtain a copy of that data
Know the purposes of processing and categories of data held
Know who the data has been disclosed to
Know the source of the data (if not collected from you directly)
Know the retention period or criteria for determining it
Be informed of your rights to rectification, erasure, restriction, and complaint

DSARs are free. An organisation can only charge a “reasonable fee” or refuse if your request is “manifestly unfounded or excessive.” That is a high bar they rarely meet in practice.

The value of a DSAR goes beyond curiosity. When I submit one on behalf of a client, it regularly reveals data sources they had no idea about. A single DSAR to 192.com might show they hold your name, current address, previous addresses, phone number, and electoral register history sourced from the open electoral register, BT-OSIS telephone directories, and other commercial data suppliers. That response gives you a map for your next round of erasure requests.

A common mistake: people submit vague DSARs asking for “all my data” without providing enough identification. Include your full name, current and previous addresses, date of birth, and email address. The more precisely you identify yourself, the harder it is for the organisation to claim they cannot locate your records.

What changed under the Data Use and Access Act 2025

The DUAA 2025 (Part 5 provisions effective 5 February 2026) introduced two changes to how DSARs work. First, the “reasonable and proportionate” search standard is now statutory rather than just ICO guidance, giving organisations slightly more certainty about the scope of their obligations. Second, a “stop the clock” mechanism pauses the one-month deadline if the organisation needs further information from you to verify your identity or locate your data. Both changes are reasonable. Neither significantly weakens the right.

The right to rectification (Article 16)

If an organisation holds inaccurate personal data about you, you can require them to correct it. Straightforward in principle. Less so in practice when “inaccurate” is disputed.

Credit reference agencies are the classic battleground. If your credit file shows a default you believe was incorrectly applied, the CRA will often point to the original creditor as the source. You then need to raise a dispute with the creditor, who may disagree. The right exists, but exercising it can involve circular referrals between organisations.

The right extends to incomplete data. If an organisation holds your name spelled incorrectly or an outdated address, you can require correction. Response deadline: one calendar month.

The right to restrict processing (Article 18)

A tactical right that most people overlook. You can require an organisation to freeze your data, preventing any use, in four situations:

You contest the accuracy of the data (restriction applies while they verify)
Processing is unlawful but you prefer restriction over erasure
The organisation no longer needs the data but you need it preserved for a legal claim
You have objected under Article 21 and restriction applies while the organisation assesses whether their grounds override yours

I’ve used this right when a client needed evidence preserved for potential litigation but could not allow the data broker to continue selling the information in the meantime. Think of it as a legal injunction on your data. A holding measure, but a powerful one.

The right to data portability (Article 20)

Portability gives you the right to receive your personal data in a structured, machine-readable format and to have it transmitted directly to another controller where technically feasible.

Two significant limitations. It only applies to data you provided directly (not data derived or inferred about you). And it only applies where processing is based on consent or contract and carried out by automated means.

For most privacy-related use cases, portability adds little. It is more relevant when switching service providers. My honest assessment: this is the least useful right for the majority of people reading this guide. I include it for completeness, but if you are trying to reduce your digital footprint, your time is better spent on Articles 21, 17, and 15.

Automated decisions and profiling (Article 22)

Under Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects on you. Think credit scoring algorithms, automated job application screening, or insurance risk assessments.

The Data Use and Access Act 2025 significantly narrowed this protection. The restriction now applies only where special category data (health, race, religion, political opinions, trade union membership, biometric or genetic data) is involved. For decisions based on ordinary personal data, the protection is substantially weaker.

My view: this was a backwards step for consumers. Automated decision-making is becoming more prevalent across financial services, insurance, recruitment, and housing. Narrowing the protection at precisely this point was poorly timed. Womble Bond Dickinson described the DUAA as introducing “minor relaxations of data protection requirements.” On automated decisions, the relaxation was not minor.

The right to be informed (Articles 13 and 14)

Organisations must tell you what they are doing with your data. Article 13 applies when data is collected directly from you. Article 14 applies when data is obtained from a third-party source.

This is why privacy policies exist. The right is passive. You do not need to exercise it. Organisations must comply proactively. But when they fail, it creates grounds for complaint to the ICO and potentially for compensation claims under Section 168 of the DPA 2018.

Data brokers fall short here consistently. Most obtain your data from the open electoral register, telephone directories, and other commercial sources without ever informing you. Under Article 14, they should notify you within one month of obtaining your data, or at the latest when they first use it to contact you or disclose it to someone else. The majority simply do not bother.

This failure is not harmless. It is a breach of UK GDPR that compounds the underlying privacy issue. If a data broker cannot demonstrate that it informed you about its processing of your data, its entire lawful basis becomes questionable.

How to submit a rights request that actually works

The mechanics matter more than people expect. A well-structured request gets results. A vague one gets delayed, misunderstood, or ignored.

Identify yourself precisely. Full name, current address, previous addresses if relevant, date of birth, and email address. The more you provide, the fewer excuses the organisation has for failing to locate your records.

Name the specific right. “I am exercising my right under Article 17 of UK GDPR to request erasure of my personal data” is far more effective than “please delete my information.” Reference the article number. It signals that you understand the legislation and are not sending a casual request.

Use email, not phone. Always submit requests in writing. Email creates a timestamped paper trail. If you need to escalate to the ICO or to court, you need documentary evidence of when you made the request and exactly what you asked for.

Set a clear deadline. Include a sentence like: “I expect a substantive response within one calendar month as required by UK GDPR.” Reminding them of the statutory deadline costs you nothing and focuses attention.

Keep records. Save every email. Screenshot every web form submission. Note dates and outcomes. If you are submitting requests to multiple data brokers, a simple spreadsheet tracking company name, date sent, response date, and outcome prevents requests from falling through the cracks.

Combine rights where appropriate. There is no legal requirement to exercise each right separately. I’ve submitted combined requests that include a DSAR (Article 15), an objection to direct marketing (Article 21), and an erasure request (Article 17) in a single email. Doing this saves weeks of back-and-forth.

The ICO provides free template letters for each right on its website. They work, but they are generic. In my experience, requests that reference specific data the organisation is likely to hold get faster and more thorough responses than templates sent without modification.

When organisations refuse or ignore you

This is where most guidance stops. It is also where the practical work begins.

Step 1: Follow up in writing. If you receive no response within one calendar month, send a follow-up referencing your original request date and the statutory deadline. Give them 14 further days. Some organisations are genuinely disorganised rather than deliberately obstructive.

Step 2: Escalate internally. Ask for the matter to be reviewed by the organisation’s Data Protection Officer (DPO). Larger organisations are required to have one. Smaller ones may not, but asking the question often gets passed to someone more senior.

Step 3: Complain to the ICO. You can submit a complaint through the ICO website. They will assess whether the organisation has breached UK GDPR and may contact them directly, issue a reprimand, or take enforcement action.

An honest word of caution here. The ICO is under-resourced. In 2024/25, roughly 3% of reported data protection breaches led to formal investigation. The regulator is better at handling systemic complaints against repeat offenders than individual disputes. That said, an ICO case reference number on file adds real pressure, and some organisations comply the moment they learn the regulator is aware.

From 19 June 2026, the DUAA 2025 introduces a new right to complain directly to the controller before going to the ICO. Organisations will be required to maintain a formal complaints process, provide an electronic complaints form, acknowledge within 30 days, and respond without undue delay.

Step 4: Court action for compensation. Under Section 168 of the Data Protection Act 2018, you can claim compensation for both financial loss and distress caused by data protection breaches. These claims go through the County Court, Small Claims Track. Court fees start from 35 pounds for claims up to 300 pounds.

The Court of Appeal ruling in Farley v Paymaster (2025) confirmed that no threshold of seriousness is required for non-material damage claims. You do not need to prove that your data was actually accessed or misused by a third party. The breach itself can be sufficient. This ruling meaningfully lowered the bar for individual claimants.

Most organisations would rather comply with your original request than face a court claim. Even a small one creates administrative cost and legal risk disproportionate to the claim value. This dynamic works in your favour.

The gap between the law and what actually happens

The honest truth that official guidance does not cover.

UK GDPR is well-drafted legislation. The rights are clearly defined. The deadlines are specific. The enforcement framework exists. The problem is not the law. The problem is compliance.

Large organisations with dedicated data protection teams generally respond properly and within deadline. They have processes, DPOs, and legal counsel who understand the consequences of non-compliance.

Small and medium-sized data processors are a different matter. Data brokers, lead generation companies, and marketing list suppliers frequently ignore requests, delay beyond the statutory deadline, or claim exemptions that do not apply.

I’ve seen organisations claim that electoral register data is “publicly available” and therefore exempt from erasure rights. It is not. Public availability of the source does not override your individual right to erasure from their database.

I’ve seen data brokers acknowledge a DSAR, confirm they hold extensive records across multiple data categories, and then refuse erasure because they assert “legitimate interests.” When you then object under Article 21 specifically for direct marketing, they suddenly discover the data can be deleted after all. The initial refusal was a bluff.

I’ve seen companies miss the one-month deadline by weeks, provide incomplete DSAR responses missing entire data categories, and fail to inform individuals about their right to complain to the ICO. Each of these failures is a separate breach. Most people do not realise they can escalate on procedural grounds even when the substance of the request is eventually resolved.

The ICO’s enforcement record reflects this gap. In 2024, the regulator took 62 enforcement actions totalling approximately 2.7 million pounds in fines. In 2025, the number dropped to 31 actions but total fines rose to roughly 19.6 million pounds across 7 cases. Notable enforcement: Clearview AI was fined 7,552,800 pounds in May 2022 (reinstated on appeal in October 2025), Capita settled for 14 million pounds, and 23andMe was fined 2.31 million pounds for a breach affecting 155,592 UK users.

But here is the significant gap: no enforcement action has been taken against UK people-search or data-lookup websites as of March 2026. Sites like 192.com, which hold over 700 million residential records sourced from 200 million electoral roll entries, operate without specific regulatory scrutiny. The ICO has not prioritised this sector despite the scale of data processing involved.

Strong as they are, GDPR rights have clear boundaries. Knowing what falls outside their reach prevents wasted effort.

Court records and legal filings. County Court judgments, bankruptcy orders, tribunal decisions, and other court records are public and cannot be erased via GDPR. The journalism and freedom of expression exemptions also apply to published legal reporting.

Companies House filings. If you are or were a company director, your name appears on the public register. The Economic Crime and Corporate Transparency Act 2023 introduced the option to suppress residential addresses from historical filings (Form SR01, 30 pounds per document, no reason required) from 27 January 2025. From 21 July 2025, this extends to signatures, business occupation, and day of date of birth. Your name as a director, however, remains public.

Accurate credit history. Credit reference agencies hold your data under a combination of legal obligation and legitimate interests. You can correct inaccurate entries, but you cannot erase accurate credit history. Defaults, CCJs, and payment records remain for six years.

Government databases. HMRC, DWP, NHS, and local authorities process your data under legal obligation. GDPR rights requests to government bodies are handled with broader exemptions.

News articles. The journalism exemption under Schedule 2, Part 5 of the DPA 2018 protects published reporting. You can request search engine delisting under Article 17(2), but the source article itself remains.

Data already sold onward. If a data broker sold your data to other companies before you submitted your erasure request, your request to the original broker does not automatically cascade to every recipient. Article 17(2) requires the controller to inform recipients, but enforcement of this obligation is weak in practice.

This is where a professional investigator-led approach makes the most difference. Mapping exactly where your data has spread and submitting targeted requests to each holder produces better results than hoping a single deletion propagates through the supply chain.

The practical application of these rights against data brokers deserves specific attention, because this is where most UK consumers encounter privacy failures.

UK-specific brokers like 192.com, Tracesmart (now LexisNexis Risk Solutions UK Limited), PeopleTraceUK, and UKPhonebook.com source data primarily from the open electoral register, BT-OSIS telephone directories, and Companies House. All are subject to UK GDPR.

The most effective approach combines three rights in a single request:

Article 15 DSAR: confirm what data the broker holds and where it was sourced
Article 21 objection: stop all direct marketing processing (absolute, no exceptions)
Article 17 erasure: delete all personal data for which no other lawful basis exists

I’ve submitted these as a combined request to save time. There is no legal requirement to exercise them sequentially.

Roughly 40% of UK registered electors remain on the open electoral register, which is available for purchase by anyone for any purpose at a cost of 20 pounds plus 1.50 pounds per 1,000 entries. The largest buyers include Experian, Equifax, TransUnion, and 192.com. Opting out at gov.uk/register-to-vote prevents future inclusion, but it is not retrospective. Data brokers who purchased previous editions of the register retain that data legally.

The gap between opting out of the electoral register and actually removing your data from every broker who already bought it is where most people get stuck. The Electoral Commission, the ICO, the Local Government Association, and the Association of Electoral Administrators have all called for the open register to be abolished. The government has moved in the opposite direction, discouraging opt-outs since 2014.

For those dealing with exposure across multiple brokers and data sources, particularly in cases involving active threats such as doxxing, harassment, or stalking, I’ve written about when professional data removal makes sense versus DIY approaches. For situations involving complex exposure that automated services cannot address, get in touch directly.

The difference between people who successfully exercise their GDPR rights and those who give up frustrated comes down to three things: specificity, persistence, and documentation.

Be specific. Reference article numbers. Identify the data you want acted upon. Provide enough identification that the organisation cannot claim it failed to find your records.

Be persistent. Most organisations that miss deadlines or give inadequate responses are disorganised, not malicious. A follow-up citing the statutory deadline resolves the majority of cases. The ones it does not resolve are the ones worth escalating.

Document everything. If you reach the point of an ICO complaint or a compensation claim under Section 168, the quality of your evidence determines the outcome. Timestamped emails, screenshots, delivery receipts. All of it matters.

Your GDPR rights are not theoretical protections buried in legislation. They are enforceable legal rights, backed by a regulator with fining powers up to 17.5 million pounds and a court system that has just lowered the bar for individual compensation claims. The organisations holding your data know this. Even when they act as though they don’t.

Aaron Barnes-Wilding

Founder & Privacy Intelligence Expert

Former intelligence analyst and licensed investigator with over a decade of experience in OSINT, counter-fraud, and digital privacy. Advises high-net-worth individuals, solicitors, and corporates on data exposure and removal strategies.

Full bio Contact