Knowledge Hub
for Growth


Setting the record straight: GDPR and the right to rectification

GDPR gives individuals a greater say over how their data is used by others. In particular GDPR reiterates the previous legislation’s rules about the need for companies to keep accurate information. It also enhances the rights of individuals to have inaccurate information about them corrected or rectified.

In this article we examine the main issues of concern around incorrect personal data and the right of rectification under GDPR compliance regulations.

You might find it useful to refer to our GDPR FAQs alongside this guide.

What is the GDPR right to rectification?

Article 16 of the GDPR states that data subjects have the right to have inaccurate data about them rectified. Even if you, or your organisation, has taken reasonable steps to ensure accuracy when first gathering the data, the right of rectification means that, as a data controller, you are obliged to check the accuracy of the data you hold when it is requested by a data subject.  

Why data accuracy matters for your business

Today, businesses depend on accurate and consistent personal data. From a purely commercial sense the accuracy of the data you hold about clients, consumers and customers is critical. If the data is not a true reflection of reality – or is inconsistent – then it can’t be relied on when it comes to creating business plans, developing analytics or providing effective customer service. Relying on incomplete or inaccurate data for marketing purposes could, for example, result in you drawing the wrong conclusions and targeting the wrong people.

From a legal point of view data accuracy matters because it’s a requirement of data protection legislation like GDPR.

Briefly the rules are:

  1. Personal data must be accurate  
  2. When necessary data must be kept up to date
  3. Personal data is inaccurate if it is incorrect or misleading
  4. Organisations must take all reasonable steps to erase or rectify inaccurate information.

A failure to keep accurate information, or to correct it when requested can lead to regulatory intervention and sanctions. In turn this may damage the reputation of your business.

Does incomplete personal data mean it is inaccurate?

It will depend on the nature of the data and whether the missing information renders the data as a whole inaccurate. Individuals however can request your organisation to add information that’s missing from the data you hold on them. This is part of the right to rectification that we examine below.

Does data have to be kept up to date?

Not always. You need to consider what you use the information for. For example, it would be sensible to amend a regular customer’s records if they change address so goods get delivered to the right place. While you aren’t required to proactively check if every customer has changed address, if a customer informs you of this or another change in their personal data you are obliged to update your records. But it wouldn’t be necessary to do the same for a client who will only ever use your services on one occasion. Usually it will be obvious whether or not the data in question needs to be kept up to date. If you have stored data to create statistical or historical information it would clearly undermine your research if you continually updated that data.

How to improve data accuracy and integrity

If you collect the data yourself it’s up to you to avoid collecting inaccurate data. Practical steps you can take include ensuring that forms you ask individuals to complete (job applications for example) are comprehensive and clear – to minimise the possibility of misunderstanding and individuals providing inaccurate data. Of course you can’t always confirm every piece of information provided to you by a customer or client but you can ensure that you:

  • Carefully record the information provided accurately
  • Satisfy yourself as to the reliability of the source of the information
  • Take reasonable steps to ensure the accuracy of the information – for example by independently verifying qualifications disclosed by an employee

If you discover inaccurate data, you should remove it or update it as soon as appropriate. Many aspects of personal data will change over time. Information that was accurate when obtained may become inaccurate following some event in the data subject’s life. Again, if you become aware of this you should take all necessary steps to update your records.

What right does a data subject have to correct inaccurate personal data?

The right of individuals to have inaccurate data corrected or rectified and have incomplete information completed is safeguarded under Article 16 of GDPR.

Even if you have taken the steps described above to safeguard the accuracy of information you hold, you must re examine the information if you receive a request for rectification. If it transpires that the information is inaccurate you must take all reasonable steps to rectify it.

Recognising requests for rectification and recording them

There is no formal method for making a request for data rectification. If an individual contests the accuracy of information and asks you to correct it you should treat it as a rectification request. Because the request can be made to anyone in your organisation it’s helpful to train those individuals who may be likely to receive the request and introduce protocols for recording the request.

When should personal data be rectified?

The time limits for dealing with a data rectification request are similar to the time limits for responding to subject access requests. You have one month from receiving the request to respond.

If you are charging an administration fee or have requested proof of the individual’s identity the clock runs from the date of receipt of the fee or proof of ID. If the request is complex it’s possible to extend the time limit by two months but you must explain this to the requester.

Accidental disclosure of personal data to third parties

As with any data breach your first responsibility is to consider if the disclosure of information poses a likely risk to the rights and freedoms of individuals. If there is a risk, you must report the matter to the Information Commissioner.

If incorrect information is released as a result of a breach it may remove any risk to individuals (for example by making identification impossible) meaning there may not be a need to report it. On the other hand it could increase the risk to individuals, triggering your internal procedure for reporting data breaches that will involve contacting the ICO and affected individuals. Each case must be considered on its facts.

Correcting personal data that has been shared with other parties

Unless the exercise would be disproportionate, when you have disclosed inaccurate or incomplete personal data to third parties you must inform them when you rectify that information and provide details of the new data.

About our expert

Lillian Tsang MBA

Lillian Tsang MBA

Senior Data Protection and Privacy Solicitor
Lillian is an experienced data protection and privacy lawyer who qualified in 2008. She advises clients on a broad range of matters - from strategic compliance with a global stance to day-to-day operations. Her role also includes Harper James' Head of DPOaaS division (Data Protection Officer as a Service), where we act as the external DPO for a business or provide support to existing DPOs.


What next?

We’ve prepared a comprehensive guide to GDPR compliance aimed to help you remain compliant. If you would like to discuss rectification or any other issues related to data protection call us on 0800 689 1700, email us at enquiries@harperjames.co.uk, or fill out the short form below with your enquiry.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry