The Right to Rectification: Correcting Inaccurate Data Under UK GDPR

In our increasingly data-driven world, personal information flows constantly between individuals, businesses, and various online platforms. While organisations strive for accuracy, errors can occur, leading to outdated, incomplete, or simply incorrect data about individuals. Recognising the potential harm inaccurate data can cause – from misdirected mail to incorrect credit scores or flawed automated decisions – the UK GDPR grants individuals a vital safeguard: the Right to Rectification.

This right empowers you to ensure that the personal data an organisation holds about you is accurate and complete. It’s not just about correcting a simple typo; it’s about maintaining the integrity of your personal information. For individuals, knowing how to exercise this right is crucial for maintaining control over their digital identities. For businesses and organisations in the UK, understanding their obligations when receiving a request for rectification is a fundamental aspect of UK GDPR compliance, demanding swift and precise action.

This article will explain the Right to Rectification in detail, outlining how individuals can exercise this important right and the responsibilities that organisations must uphold when responding to such requests.

Your Right to Get It Fixed: Like Correcting a Public Record

Think of your personal data as an entry in a significant public record, perhaps your birth certificate or a property deed. If that record contained an error – a misspelling of your name, an incorrect date, or a missing detail – you would undoubtedly have the right to get it fixed. This process ensures that the official record accurately reflects your true information, preventing any future misunderstandings or complications arising from that inaccuracy.

The Right to Rectification under UK GDPR works in a very similar way. It’s your personal guarantee that if an organisation holds inaccurate, incomplete, or outdated personal data about you, you have the clear legal power to demand that they correct it. This right acknowledges that even in the digital realm, accuracy matters, and individuals should not be disadvantaged by errors in their personal information.

What is the Right to Rectification?

The Right to Rectification (Article 16 of the UK GDPR) grants individuals the right to:

1. Have inaccurate personal data rectified without undue delay. This means correcting any factual errors.
2. Have incomplete personal data completed, including by providing a supplementary statement. This addresses missing information that might make the existing data misleading or insufficient for the purposes it’s being used.

The organisation holding the data (the ‘controller’) has a clear obligation to take reasonable steps to ensure the accuracy of the personal data they process. When an individual identifies an inaccuracy or incompleteness, the controller must rectify it.

When Does the Right to Rectification Apply? (The Conditions)

The Right to Rectification is generally applicable whenever an individual believes the personal data an organisation holds about them is inaccurate or incomplete. There are no specific “grounds” for exercising this right in the same way there are for the Right to Erasure; if the data is inaccurate or incomplete, the right applies.

What constitutes ‘inaccurate’ data?

• Factual errors: Incorrect spelling of a name, wrong address, wrong date of birth.
• Outdated information: A previous address that has not been updated.
• Incomplete data: A record missing a crucial piece of information that makes the existing data misleading (e.g., a medical record noting a diagnosis but omitting a key follow-up treatment).

What constitutes ‘personal data’? Remember, personal data is any information relating to an identified or identifiable natural person. This includes not just your name and address, but also IP addresses, cookie identifiers, CCTV footage, financial details, and more, as covered in our article “Beyond Names and Emails: What Truly Counts as Personal Data Under UK GDPR?”. If any of these are inaccurate or incomplete, the Right to Rectification can be invoked.

Example scenarios where the right applies:

• Online Shopping Account: You move house, but your old address is still listed as your primary address on an online retailer’s account. You have the right to get this corrected.
• Employment Records: Your HR file contains an incorrect emergency contact number or an outdated qualification. You can request rectification.
• Customer Relationship Management (CRM) System: A sales team’s CRM has your company name misspelled or a wrong industry classification attached to your profile. You can ask for it to be corrected.
• Newsletter Subscription: You updated your email address, but the newsletter continues to be sent to your old one. You can request rectification.
• Automated Profiling: If an organisation uses profiling and you believe the data used to create your profile is inaccurate, leading to an unfair outcome (e.g., an incorrect risk assessment based on old financial data), you can request the underlying data be rectified.

How to Exercise Your Right to Rectification: A Guide for Individuals

Exercising your Right to Rectification is designed to be straightforward. Here’s how you can make a request:

1. Who to Contact:
   • You can send your request to any part of the organisation. Most organisations will have designated contact points for data protection queries, often found in their privacy policy or on their website’s “Contact Us” page.
   • While any employee receiving a rectification request should treat it as valid, directing it to a specific data protection email or contact ensures it reaches the right department promptly.
2. How to Make a Request:
   • There is no specific form or formal wording required. You do not need to quote the UK GDPR explicitly.
   • You can make a request verbally (e.g., over the phone, in person) or in writing (e.g., letter, email).
   • Best Practice: Submitting your request in writing (email or letter) is highly recommended. It provides a clear, documented record of your request, including what you asked for and when. If you make a verbal request, it’s a good idea to follow up with a written confirmation for your own records.
3. What to Include in Your Request:
   • Your Full Name and Contact Details: Essential for the organisation to identify you and respond.
   • Specific Inaccurate Data: Clearly state which specific piece(s) of personal data you believe are inaccurate or incomplete.
   • The Correct Information: Provide the accurate or complete information you wish to replace the inaccurate data with.
   • Why it’s Inaccurate/Incomplete: Briefly explain why you believe the data is wrong or missing.
   • Any Relevant Account Numbers or Identifiers: If you have an account number, customer ID, or similar identifier, including it can help the organisation locate your data efficiently.
4. Proof of Identity:
   • The organisation may ask for proof of identity to ensure they are dealing with the correct individual and to prevent fraudulent requests. This is a reasonable and proportionate step.
   • They should only request information necessary to verify your identity. This might involve a copy of a passport, driving licence, or a recent utility bill. The organisation should already have robust identity verification methods in place if you are an existing customer or employee.
   • Important Note: The one-month time limit for the organisation to respond begins once they have received all the information they reasonably need to confirm your identity and understand your request.

Organisation’s Obligations: Responding to a Rectification Request

When an organisation receives a Right to Rectification request, they have clear responsibilities under UK GDPR:

1. Acknowledge and Verify:
   • It is good practice to acknowledge receipt of the request promptly.
   • Verify the identity of the requester using reasonable and proportionate measures.
2. Time Limit for Response:
   • The organisation must respond to the request without undue delay and, at the latest, within one calendar month of receiving it.
   • Extension: If the request is complex or the organisation receives numerous requests, they can extend the deadline by a further two months. However, they must inform the individual of this extension and the reasons for it within the initial one-month period.
3. No Fee (Generally):
   • Organisations cannot typically charge a fee for responding to a rectification request.
   • Exception: A “reasonable fee” can only be charged if the request is “manifestly unfounded or excessive” (e.g., repetitive requests for the same correction without new information) or if you request further copies of information you have already received. The ICO sets a high bar for such charges.
4. Action to Take:
   • Rectify the Data: The organisation must take reasonable steps to correct the inaccurate personal data or complete the incomplete data. This should be done across all relevant systems where the data is held.
   • Inform Third Parties: If the personal data has been disclosed to third parties (e.g., other data controllers or processors), the organisation must take “reasonable steps” to inform those recipients of the rectification. This is to ensure that the third parties also update their records. This obligation does not apply if it proves impossible or involves disproportionate effort (e.g., tracing a vast number of historical, one-off disclosures that no longer serve a purpose).
   • Backups: Similar to the Right to Erasure, deleting data from backup systems might be technically challenging. If rectification on backups is not reasonably feasible, the organisation must ensure that the inaccurate data is not processed if a backup is restored, and that it is overwritten by the corrected data as soon as possible.
5. Communicate Decision:
   • If you comply: Inform the individual that their data has been rectified.
   • If you refuse: If an organisation refuses a request (e.g., they genuinely believe the data is accurate, or the request is manifestly unfounded), they must inform the individual of their decision within one month. They must explain the reasons for the refusal and inform the individual of their right to complain to the Information Commissioner’s Office (ICO) and to seek a judicial remedy through the courts.
6. Documentation:
   • Maintain thorough records of all rectification requests received, the actions taken (or reasons for refusal), and the communication with the individual. This documentation is vital for demonstrating UK GDPR compliance and accountability.

Nuances and Practical Considerations for Businesses

Implementing the Right to Rectification effectively requires several practical considerations:

• Data Quality is Key: The best way to manage rectification requests is to minimise them in the first place. Invest in data quality initiatives, regular data reviews, and providing mechanisms for individuals to update their own data (e.g., via a customer portal).
• Understanding Data Flows: Organisations need a clear understanding of where personal data is stored, how it flows between systems, and which third parties it is shared with. This data mapping is crucial for ensuring that rectification is comprehensive.
• Proactive Information to Individuals: Being transparent about how individuals can update their data (e.g., in privacy policies, account settings) can reduce the need for formal rectification requests.
• Distinguishing Between Fact and Opinion: The right generally applies to factual inaccuracies. If the data is an opinion (e.g., “customer feedback suggests John Smith was unhelpful”), the individual cannot demand it be ‘rectified’ as a factual error. However, they might have the right to add a supplementary statement to dispute it.
• Accuracy vs. Completeness: Remember the right covers both. A data point might be factually accurate but misleading because it’s incomplete. The individual can provide a supplementary statement to complete it.
• Training and Awareness: Ensure all staff who might receive a request (customer service, HR, IT) are trained to identify a rectification request and know the correct internal process for handling it.

Ensuring Accuracy and Trust

The Right to Rectification is a powerful component of the UK GDPR framework, underscoring the principle that personal data should be accurate and kept up to date. For individuals, it provides an essential mechanism to correct their digital record, protecting them from the potential adverse effects of inaccurate or incomplete information.

For organisations, respecting this right is a fundamental aspect of data stewardship. It’s about maintaining data quality, enhancing transparency, and building trust with individuals. By having clear procedures for receiving, assessing, and acting upon rectification requests, businesses can ensure they are compliant with UK GDPR and demonstrate their commitment to handling personal data responsibly and ethically in the United Kingdom.