Under GDPR, companies can refuse rights requests that are manifestly unfounded or excessive. Learn when and how to lawfully say no. You can refuse to act on a GDPR request if it’s manifestly unfounded or excessive. This includes: If you refuse, you must: 💡 Tip: Keep a clear record of all refused requests and your…
You can ask for ID before fulfilling GDPR requests — but only when necessary. Here’s how to verify identity without breaching privacy. The UK GDPR allows companies to request ID if they have reasonable doubts about the identity of the requester. But be careful — asking for too much ID or failing to protect it…
Companies must respond to GDPR rights requests within strict timeframes. Here’s what counts as a valid request — and when deadlines can be extended. The default timeline to respond to data subject rights requests (access, erasure, objection, etc.) is one calendar month. You may extend this by two months if the request is: But —…
Under GDPR Article 16, individuals have the right to correct inaccurate personal data. Learn how your company can stay compliant. Under Article 16 of the UK GDPR, individuals have the right to request the correction of inaccurate or incomplete personal data. Common requests include updates to: Companies must respond without undue delay, usually within one…
The UK GDPR gives individuals the right to access their personal data. Here’s what companies need to know about handling Subject Access Requests (SARs) effectively. The UK GDPR gives individuals the right of access under Article 15. This allows people to ask what personal data your company holds about them and request a copy. SARs…
Subject access requests are easier (and cheaper) if you delete what you no longer need. Here’s why that’s strategic. Subject access requests (SARs) are rising — and they are expensive. But here’s the secret: the less data you hold, the less you have to search, redact, and disclose. Retention policies don’t just reduce legal risk….