Handling data subject requests

Copyright © 2026 LexisNexis

STOP PRESS: This document is being updated to reflect implementation of the Data (Use and Access) Act 2025 (DUAA 2025) which amends the UK GDPR and Data Protection Act 2018. For more guidance on the compliance implications of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications.

This document reflects Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR) and ICO guidance on the Right of access. It is intended for private-sector commercial organisations in the UK.

Individuals have a number of rights in respect of their personal data under the UK GDPR:

  1. a right of access

  2. rights to rectification, erasure and restriction of processing

  3. a right of data portability

  4. a right of data subjects

A data subject can make a request to a data controller to exercise one or more of these rights at any time. They do not need to explain their reasons for making a request and there are strict time limits for complying. Responding to a data subject request can be onerous for

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Risk & Compliance News

ICO updates data protection by design guidance following DUAA commencement

The Information Commissioner’s Office (ICO) has published its updated guidance on data protection by design and by default alongside the commencement of key Data (Use and Access) Act 2025 (DUAA 2025) provisions. The guidance clarifies that organisations must build data protection considerations into the design and operation of systems, services, products, and processes, ensuring that only the minimum necessary personal information is collected, used, stored, and accessed for each defined purpose. It explains the need for appropriate technical and organisational measures, including robust security controls, clear retention practices, strong default privacy settings, and regular assessment of risks through data protection impact assessments.

FCDO imposes sanctions on six individuals fuelling Sudan conflict

The Foreign, Commonwealth and Development Office (FCDO) has imposed immediate sanctions on six individuals on 5 February 2026. The measures were announced by the Foreign Secretary, Yvette Cooper, following her visit to the Sudan–Chad border. The sanctions target senior commanders of the Rapid Support Forces and the Sudanese Armed Forces, as well as individuals accused of financing the conflict, procuring weapons and recruiting foreign mercenaries, in response to their alleged roles in fuelling the war in Sudan and enabling serious abuses against civilians. The FCDO stated that the measures aim to increase pressure on those responsible for massacres, sexual violence, forced displacement and other atrocities, particularly in Darfur and Gezira states, and to disrupt the financial and logistical networks sustaining the conflict. The sanctions form part of a wider UK strategy combining enforcement, humanitarian assistance and diplomacy. Under this approach, the UK has committed £146m in aid during the current financial year, is calling for an immediate ceasefire and unhindered humanitarian access, and will prioritise Sudan during its February 2026 presidency of the UN Security Council while co-hosting an international conference in April 2026 to strengthen coordinated international efforts to end the conflict and promote accountability.

OFSI amends General Licence INT/2022/1947936 and UK Financial Sanctions FAQs

The Office of Financial Sanctions Implementation (OFSI) has updated its UK Financial Sanctions frequently asked questions (FAQs), amending FAQs 147 and 148. The OFSI has also amended General Licence INT/2022/1947936 and removed expired General Licence INT/2025/8202932.

Risk & Compliance weekly highlights—5 February 2026

This week's edition of Risk & Compliance weekly highlights includes the commencement of major reforms under the Data (Use and Access) Act 2025 and further insights from the ICO on its 2026 regulatory priorities. It also reports on the European Commission’s adoption of an adequacy decision for Brazil, new UK sanctions against Iranian authorities, updates from OFSI on licensing and enforcement reforms and analysis of the government’s proposed National Police Service and its implications for economic crime enforcement.

View Risk & Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

If a beneficiary signs a deed of disclaimer of their share of an estate and the estate pays their legal

If a beneficiary signs a deed of disclaimer of their share of an estate and the estate pays their legal fees, will that count as a PET against their estate?A disclaimer is the refusal of a gift prior to acceptance. The refusal of the gift must take place before the beneficiary accepts any benefit

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a
Late payment penalties—inheritance tax

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

If a beneficiary signs a deed of disclaimer of their share of an estate and the estate pays their legal

If a beneficiary signs a deed of disclaimer of their share of an estate and the estate pays their legal

If a beneficiary signs a deed of disclaimer of their share of an estate and the estate pays their legal fees, will that count as a PET against their estate?A disclaimer is the refusal of a gift prior to acceptance. The refusal of the gift must take place before the beneficiary accepts any benefit

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Contributory negligence in personal injury claims

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a