If Your Legal Rights Only Work When You Have Stamina, Who Are They Really For?

Opinion

If Your Legal Rights Only Work When You Have Stamina, Who Are They Really For?

UK GDPR was written with universal intent. Every adult in the UK has the right to know what personal data organisations hold about them. The right to correct it. The right to erase it. The right to object to its processing.

Every adult. The word was deliberate. This was supposed to be a right for everyone, not a right for people who happen to know what a data broker is.

I want to be honest about what happened.

The Gap Between the Words and the Reality

The rights are real. They exist in statute. The ICO has template letters. The process is documented. Anyone can, in principle, exercise these rights against any data broker.

In practice, exercising those rights requires: knowing which data brokers exist and hold your personal data, finding their individual removal or opt-out routes, understanding the difference between suppression and deletion, submitting the request in a form the broker accepts, providing identity verification without handing over more data than necessary, tracking the one-month response deadline, sending a chaser on day 28 before the deadline passes, reading the response and determining whether it is legally adequate, challenging an inadequate response, submitting an ICO complaint if the broker ignores or improperly refuses, and repeating the entire sequence every 90 days when data reappears from refreshed upstream sources.

That is not a right. That is an unpaid part-time job that never ends, assigned to the person whose rights were violated in the first place.

Who Can Actually Do This

Let us be precise about who can sustain the rights exercise process indefinitely.

People who know what a data broker is, or are willing to learn. People who have time outside work and family responsibilities for ongoing administrative tasks. People who have the confidence to write formal requests to companies and challenge their responses. People who are comfortable navigating the ICO complaints process. People who will not abandon the effort when the data reappears for the third time and the fourth and the fifth.

That profile systematically advantages the educated, the digitally literate, the English-fluent, the time-rich, and the persistent. It disadvantages the person who uses their home address as their company’s registered office because they were not told not to, has never heard of the ICO, does not know what Article 17 means, and has a business to run.

And that second person, the one who does not have time for ongoing legal correspondence with twenty commercial data brokers, is exactly the person most likely to be exploited by the exposure the system created.

The Systemic Design Problem

Here is the point I am building towards.

A right that requires sustained individual labour to exercise against a systemic problem is not designed to solve the systemic problem. It is designed to provide a release valve.

The release valve is real. It allows the most persistent individuals to reduce their own exposure. It also allows the system to claim that rights exist and are exercisable, when the practical experience of most individuals is something quite different.

If the regulatory design had been serious about addressing the data broker market, the starting point would have been this: how do we make the right not to be commercially profiled without your knowledge the default, rather than making the opt-out a private exercise in administrative endurance?

That is not the design that was built. The design that was built requires you to find the brokers, which is itself a specialist task. The design that was built places the burden of repetitive administrative compliance on the individual, not the organisation doing the processing. The design that was built, as the Experian tribunal case demonstrated, gives commercial organisations a genuine legal basis for processing personal data at scale without individual consent, so long as they claim legitimate interests and conduct a balancing test.

The Deliberate Friction Argument

I am going to make a claim that some people will find uncomfortable.

The friction in the data rights exercise process is not an accident of poor implementation. It is a predictable consequence of a design that balanced commercial data economy interests against individual rights and came down, in practical terms, more on one side than the other.

Friction benefits the organisations doing the processing. If the rights exercise process is laborious, most people will not start it. Of those who do, many will abandon it when data reappears. The fraction who persist to the point of meaningful reduction in their commercial profile is small. And that small fraction’s persistent effort does not change what happens to the majority.

I am not arguing that the law was written in bad faith. I am arguing that the outcome, a data rights framework that functions primarily as a personal exercise in administrative endurance rather than a structural check on commercial data processing, was predictable from the design choices that were made.

What Would Actually Work

Three structural changes would make UK data rights genuinely universal rather than theoretically available.

First, meaningful transparency requirements on brokers that allow individuals to easily identify which companies hold their data, from which sources, and what they have done with it. Not a privacy notice on a website they will never find. Actual discoverability.

Second, a prohibition on reprocessing data after a confirmed erasure request from an upstream source that the broker continued to use. If you remove my data and then reacquire it from the same source that you were already using, you have not honoured the erasure. You have just reset the clock.

Third, a funded public awareness campaign. Not a government website. An active campaign that tells every UK director that their data is probably in commercial profiles, explains what that means, and walks them through the exercise of their rights in plain English.

None of those three things is technically difficult. None requires new legislation beyond existing powers. All of them would cost money and face commercial resistance.

Which is why they have not happened.

The One Thing I Am Asking

If you read this, use one piece of it.

If you do nothing else about your data broker exposure, opt out of the open electoral register. Contact your local council. It takes ten minutes. It costs nothing. It removes your home address from the commercially available version of the register that feeds broker databases.

One action. Ten minutes. Free. No tracking spreadsheet. No ICO complaint. No repeated follow-up.

The rest of the system will continue operating as described. But that one action is within everyone’s reach, regardless of stamina.

How to Turn This Into a Competitive Advantage

For MSPs and business advisers, the stamina argument is a client conversation about realistic expectations. Clients who have tried and abandoned the erasure process, or who subscribed to a removal service without addressing upstream sources, need honest advice about what the process actually requires. Being the adviser who explains this clearly, rather than selling a solution that creates false confidence, is a differentiator.

For business owners, active management of data rights, even imperfect and partial management, demonstrates governance seriousness. A director who has opted out of the open electoral register, applied for Companies House suppression, and submitted documented erasure requests is in a materially stronger position than one who has not. That position is documentable.

How to Sell This to Your Board

The structural argument translates simply. The law gives directors data rights. Exercising those rights is laborious in ways that systematically disadvantage people without time and confidence. The business should manage those rights on behalf of its directors, not leave each director to navigate the process individually. Assign ownership. Fund the time. Review at 90 days.

What to Do This Week

  1. Opt out of the open electoral register. Contact your local council. Ten minutes. Free. The single lowest-effort, highest-impact action in this entire series.
  2. Check Companies House for home address exposure. If it exists, start the suppression process.
  3. Submit erasure requests to the top two or three broker sites that appear for your directors in search results. Use the ICO template letters from Thursday’s guide.
  4. Contact your trade association and ask what position they have on director data exposure and data broker regulation.
  5. Set a 90-day calendar reminder to recheck search results for your directors.
SourceArticle
ICOYour right to get your data deleted
ICOElectoral register opt-out
ICOGuidance for the data broking sector
Privacy InternationalUK regulator takes enforcement action against data brokers
GOV.UKData Protection Act 2018
Action FraudMandate fraud guidance

Filed under

  • smb-security
  • uk-business
  • compliance-failure
  • data-protection
  • business-risk
  • executive-security
  • public-sector-security