SAR & Data Governance Toolkit

1. Your Data is Your Evidence

In a dispute with your employer, evidence is everything. These rights are powerful tools for transparency and accountability. An organisation's response to your data rights request is a huge test of their culture and how seriously they take their legal duties.

Don't wait for your employer to finish their slow internal processes. Acting early protects your evidence, strengthens your legal position, and puts you in control.

2. Core Principles Under UK GDPR (Article 5)

Organisations must comply with these principles when handling your data. If they breach any of them, you have grounds to challenge.

• Lawfulness, fairness, and transparency: Processing must have a lawful basis and be clear to you.
• Purpose limitation: Data can only be used for the specific reason it was collected.
• Data minimisation: Only the minimum necessary data should be processed.
• Accuracy: Personal data must be accurate and kept up to date.
• Storage limitation: Data should not be kept longer than necessary.
• Integrity and confidentiality: Data must be kept secure from breaches.
• Accountability: The organisation must be able to prove its compliance.

3. Lawful Bases for Processing (Article 6)

An organisation must have at least one of these lawful bases to process your personal data. If they cannot justify processing under one of these, you can challenge its lawfulness.

• Consent: You've given clear and unambiguous consent.
• Contract: Processing is necessary for a contract you have with them.
• Legal obligation: They are required by law to process the data.
• Public task: They are carrying out a task in the public interest.
• Legitimate interests: They have a legitimate reason not overridden by your rights.

4. Your Key Enforcement Rights

Right of Access / Subject Access Request (Article 15)

Your right to request a copy of all personal data an organisation holds about you. A well-written SAR can uncover crucial evidence for a grievance or tribunal claim — forcing an organisation to search its records and disclose emails, meeting notes, and internal memos where you are mentioned. They must respond within one month.

Right to Rectification (Article 16)

You can demand that inaccurate or incomplete personal data be corrected without undue delay. If an organisation has made a defamatory or incorrect statement about you in their records, you can use this right to force them to correct it.

Right to Restrict Processing (Article 18)

This is your right to "freeze" your data. If you believe your data is inaccurate or is being used unlawfully, you can request that its processing be restricted. This legally requires the organisation to preserve the data as-is but prevents them from using, altering, or deleting it.

Right to Notification (Article 19)

If an organisation rectifies, erases, or restricts processing of your data, they must communicate that change to any third parties they have shared your data with.

The Legal Duty to Preserve Evidence ("Litigation Hold")

Separate from GDPR, once a party knows a formal dispute is likely, they have a duty to preserve all relevant evidence. Deliberately deleting relevant records can have serious legal consequences for an organisation.

5. If They Ignore or Refuse Your Request

6. If They Punish You for Making a Request

Exercising your data rights is a legally protected activity. If your employer treats you unfairly after you make a request, this is unlawful and falls into two categories:

• Unlawful Detriment: In employment law, you suffer a "detriment" if you are put at a disadvantage for asserting a legal right. Punishing you for making a SAR is a classic example.
• Victimisation (Equality Act 2010): If you use a SAR to gather evidence for a discrimination claim and your employer treats you badly as a result, this is a clear case of victimisation — which is itself an additional legal claim you can bring.