Personal information is easier than ever to find and share online. But that doesn't mean that all personal data is fair game for publication. In the UK, data protection laws like the GDPR (General Data Protection Regulation) and the UK Data Protection Act 2018 govern what can and cannot be published about you online. Even publicly available information is subject to strict rules when it comes to privacy.
Under the GDPR, personal data is any information that can identify a person, whether directly or indirectly. This can include obvious things like your name, email address, and phone number. But it also includes data like:
Your date of birth
Your address
Your mother's maiden name
Photos of you
Any other information that, when combined, can identify you
If a website or organisation collects or publishes your personal data, they must have a lawful basis for doing so.
You might assume that if information about you is publicly available—on social media, public registers, or other sources—websites can republish it freely. However, that's not entirely true. Just because information is accessible to the public doesn't mean that it can be published without restriction.
GDPR still applies to publicly available information, which means the person or organisation sharing it needs to comply with data protection laws.
Under GDPR, organisations must have a lawful basis for processing (which includes publishing) your personal data. These bases include:
Your consent: You gave explicit permission for your data to be used.
Contractual necessity: Your data is needed to fulfil a contract with you.
Legal obligation: The data is required to comply with the law.
Legitimate interest: The organisation has a legitimate reason to process the data, provided it doesn’t override your privacy rights.
For example, a news outlet may claim a "legitimate interest" in publishing certain personal data for journalistic purposes. But even in cases of legitimate interest, they need to balance this against your rights to privacy. If the data could harm you, such as exposing you to identity theft, they may not have a lawful reason to share it.
One of the most important rights under GDPR is the right to erasure, also known as the right to be forgotten. This means you can request that websites or organisations delete your personal data if there’s no lawful reason for them to keep it. You can make this request if:
The data is no longer necessary for the purpose it was collected.
You withdraw your consent (and no other legal basis exists for processing).
The data was unlawfully processed.
You object to the processing, and there’s no overriding legitimate interest to continue.
If the website doesn’t comply with your request, you can escalate the issue to the Information Commissioner's Office (ICO), which enforces data protection laws in the UK.
If a website has published your personal data—like your year of birth, your mother’s maiden name, or any other identifying information—you have the right to:
Request its removal: Contact the website and ask them to delete the data. Under GDPR, they must have a valid reason for processing that data, and if they don’t, they are required to remove it.
Challenge their response: Some websites may argue that the information is publicly available and can therefore be republished. This isn’t a sufficient justification under GDPR. Public availability doesn't override your rights to privacy.
Escalate the complaint to the ICO: If the website refuses to delete the data or if you're not satisfied with their response, you can report the issue to the ICO, who can investigate the matter further.
Even though UK laws provide strong protections, there are steps you can take to reduce the likelihood of your personal data being published online:
Limit the personal information you share on public platforms like social media.
Review privacy settings on your accounts to ensure that your information is only visible to people you trust.
Regularly check what information about you is accessible online, and contact websites that may be sharing data without your consent.
If a website refuses to delete your data, you can escalate the issue to the Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights.
The ICO can help enforce your rights under GDPR, investigate complaints, and, if necessary, issue penalties to organisations that breach the law.
For more information, check the ICO’s guides and complaint services:
