Introduction to this document

GDPR rectification of data response letter

Once you’ve dealt with an individual’s request, made under the UK GDPR, for rectification of their personal data, you can use our letter to set out your response to them.

Rectification of personal data

The UK GDPR enables individuals to submit a request that you rectify the personal data that you hold about them, i.e. correct it where it’s inaccurate or complete it where it’s incomplete. You can then use our GDPR Rectification of Data Response Letter to let them know that their personal data has been rectified as requested. It enables you to set out what inaccurate personal data has now been corrected and/or what incomplete personal data has now been completed following their request. Note that the Information Commissioner’s Office (ICO) advises that a record of a mistake that has subsequently been rectified should not be considered as being an inaccuracy, as long as there’s a record that a mistake was made and that it’s been corrected.

Third parties

As you’re also required to let any third parties, such as external benefit providers, know about the rectification of personal data if the relevant data has been disclosed to them, our letter also includes an optional paragraph covering this, i.e. it provides for you to let the individual know which third-party recipients have been notified. However, there are two caveats to this which apply where notification to third parties either proves to be impossible or would involve disproportionate effort. So, our letter has two optional paragraphs you can use where you’re relying on either of those circumstances.

Request rejection

The only reason that you can rely on to reject a request for rectification is where the personal data doesn’t need to be rectified because you’ve taken steps to verify its accuracy or completeness and, as a result of your enquiries, you believe that it’s already accurate and/or complete. So, our letter covers that option too. Under the UK GDPR, you need to explain your reasons for not taking action without undue delay and at the latest within one month of receipt of the request. Make sure that you’ve taken steps to verify the position first before you reject a request, as the individual can lodge a complaint with the ICO where they don‘t agree with your decision, or take legal action to enforce rectification, and you need to inform them of the possibility of doing this.