Right to rectification is crucial under UK GDPR, as data quality directly impacts business success. Outdated, incorrect, or incomplete information can erode credibility, lead to costly errors, and cause embarrassing missteps that jeopardise opportunities. Inaccurate data can derail business plans, result in poor customer service, and harm your reputation and bottom line.
The UK GDPR gives individuals significant control over their personal data and requires organisations to ensure its accuracy.
This article outlines accuracy requirements and the right to rectification under UK GDPR, offering practical insights to help your business stay compliant and manage rectification requests effectively. Our data protection team is ready to assist with data subject rights.
Here, we'll examine:
Key requirements for maintaining data accuracy
Your business is responsible for ensuring personal data is accurate, kept up to date, and promptly corrected or deleted if inaccuracies are identified. If the data is incomplete, your company may need to add supplementary information to ensure it is fit for purpose.
The ICO highlights that although the UK GDPR doesn't define what 'accuracy' means, the Data Protection Act 2018 defines data as inaccurate if it's incorrect or misleading as to any matter of fact.
The ICO’s guidance provides clear action steps for businesses to manage data effectively. These include ensuring the accuracy of personal data, implementing processes to regularly verify and update data, maintaining records of any challenges to data accuracy, and adhering to the rights to rectification.
Practical steps for data accuracy include ensuring that forms you ask individuals to complete (e.g. job applications and client onboarding) are comprehensive and transparent – to minimise the possibility of misunderstanding and individuals providing inaccurate data. Of course, you can't always confirm every piece of information provided to you by a customer or client, but you can ensure that you:
- Carefully record the information provided accurately.
- Satisfy yourself as to the reliability of the source of the information.
- Take reasonable steps to ensure the accuracy of the information – for example, by independently verifying qualifications disclosed by an employee and telling individuals to inform you of any changes to their data.
If you identify inaccurate data, it should be promptly updated or removed. Personal data often changes over time—what was accurate when initially collected may become outdated due to changes in the data subject's circumstances. When such changes come to light, you must take all necessary steps to update your records and demonstrate compliance with data protection regulations.
It’s worth remembering that you’ll need to consider what you use personal information for and whether it remains accurate as part of this process. For instance, you’ll need to update a regular customer’s records if they change their address, ensuring their goods are delivered to the correct location. While you’re not required to check if every customer has moved proactively, you must update your records if a customer notifies you of an address change (or any other update to their personal data). However, this wouldn’t be necessary for a client who uses your services occasionally. In most cases, it will be clear whether the data in question needs to be kept up to date. If you’ve stored data for statistical or historical purposes, constantly updating it would undermine the integrity of your research.
Understanding the UK GDPR's ‘right to rectification’
The UK GDPR grants individuals the right to have their personal data corrected if it is inaccurate, and as the controller, you must be prepared to handle such requests. Additionally, individuals may have the right to complete any missing data when necessary for the relevant processing (e.g., by providing a supplementary statement).
If someone requests rectification, your business should review the data's accuracy and make any necessary changes. Even if the data appeared accurate when originally collected, new evidence may require updates to ensure its continued accuracy.
In practice, this may mean you need to:
- Take reasonable steps to check the accuracy of the data. What's reasonable will depend on the personal data, e.g. its purposes.
- Do not use the relevant data until the request is completed.
- Deliver the response—this may involve concluding that the data is incorrect and needs correcting, reporting any mistakes that have been corrected, or confirming that the data is, in fact, correct.
- Complex scenarios could crop up here, e.g., if the data concerns opinions, leading to tricky arguments since opinions are typically subjective. If you need support with these issues, you can seek legal advice from a data protection solicitor.
- There may also be follow-up steps, e.g., informing third parties about the required data rectification.
People can make verbal or written rectification requests, and they do not need to mention the UK GDPR. Your business should train staff to recognise and log these requests to avoid slip-ups.
Responding to rectification requests
Before responding to a rectification request, your business should first determine whether any exemptions apply that might entitle you to refuse the request, either partially or in full. These exemptions can be complex, so it’s advisable to seek legal advice if you are uncertain. You may also have grounds to refuse a request if it is manifestly unfounded or excessive, but you must be prepared to justify your decision and clearly explain it to the individual making the request.
Your business must respond to rectification requests within one calendar month. If you require proof of identity or a reasonable fee, the deadline begins once these are received. For particularly complex requests or multiple submissions, you may extend the deadline by up to two additional months. However, you must notify the individual within the first month, explaining why the extension is necessary.
If your business frequently handles rectification requests, such as in cases of a large workforce or a high volume of submissions, using template documents can streamline your processes and ensure consistency. For example, you might create templates (carefully reviewed and tailored to each request) for acknowledging receipt, requesting further information, and providing detailed responses.
Practical steps for managing data accuracy and rectification
Accurate personal data is crucial for legal compliance, best practices, and operational efficiency. Maintaining accuracy helps you avoid costly mistakes, such as offending key clients by failing to correct their names or facing legal trouble by sending important documents to outdated addresses.
While ensuring data accuracy often comes down to common sense and diligent checks, there are key steps your business can take to stay proactive:
- Establish clear policies and procedures for handling data rectification requests, ensuring your teams know how to respond when a request arises.
- Provide staff training to handle requests promptly and effectively, adhering to strict legal timeframes.
- Implement processes to monitor and identify when data needs updating.
- Utilise robust data management systems to efficiently update and correct information as needed.
- Seek legal advice for complex or high-risk cases, such as determining when specific exemptions allow you to refuse rectification requests.
In summary, maintaining accurate data not only supports legal compliance but also enhances business operations and protects your reputation, helping you avoid pitfalls and ensuring smooth operation.
If you need help understanding these UK GDPR obligations and how your business can comply, our data protection law team is here to help.
