GDPR Right‑to‑Erasure: Processing Deletion Requests Smoothly

If you’re running a business in the UK, you’ll know that handling customer data comes with a long list of responsibilities. One of the trickier requirements? Responding to requests from individuals who want their personal information wiped from your records – also known as the right to erasure or the “right to be forgotten”. With data privacy concerns at an all-time high, requests to delete personal data are rapidly becoming a regular part of business life. But complying with the GDPR right to erasure isn’t just polite – it’s a legal obligation, and getting it wrong can mean heavy fines. Don’t worry, though – with the right knowledge, managing data erasure requests can fit smoothly into your data protection process. In this guide, we’ll break down exactly what you need to know about the right of erasure, highlight when you have to comply, and share practical steps to smoothly handle requests and keep your business compliant.

What Is the GDPR Right to Erasure?

The right to erasure comes from Article 17 of the UK GDPR (General Data Protection Regulation) and is sometimes known as the “right to be forgotten”. In simple terms, it allows individuals to ask your business (or any organisation) to permanently delete their personal data in specific circumstances. Here’s a quick overview:

• If someone makes a valid request, you may have a legal duty to erase all personal information you hold about them.
• Personal data includes anything that can identify a living person – think names, email addresses, phone numbers, addresses, customer identifiers, and even purchase history linked to that individual.
• This right applies to data you store on your systems, backups, cloud services and, in some cases, data you’ve shared with third parties.

The right of erasure isn’t absolute – you must first decide whether the request meets the legal criteria before taking action. Let’s explore when you need to comply and when you can say no.

When Does the Right to Erasure Apply?

The right to erasure only applies in certain situations. According to UK GDPR and official ICO guidance, you’re required to erase someone’s data if:

• The person withdraws the consent they originally gave you to use their data – unless you have another legitimate reason to keep processing it.
• The individual objects to your use of their data for direct marketing, and you have no overriding legitimate reason to keep it.
• You no longer need the data for the reason you collected it in the first place.
• You’ve processed the data unlawfully or in breach of data protection laws.
• There’s a legal obligation for you to erase the data (for example, under another UK law).
• The data was collected from a child (under 13) using online services.

Practical examples of valid scenarios for erasure include:

• An ex-customer tells you to delete their account and you have no legal need to keep their records.
• An individual asks to unsubscribe from all your marketing and for their data to be wiped from marketing databases.
• An employee’s information is held beyond the period required by employment law – they ask for it to be erased and you no longer need it.

When Can You Refuse an Erasure Request?

You don’t always have to erase data just because someone asks. You have the right (sometimes, the duty!) to turn down a request if:

• You must keep the data to comply with a legal obligation (for example, keeping tax records for HMRC).
• It’s needed to defend legal claims (such as potential disputes, chargebacks, or employment matters).
• The data is necessary for performing a contract with the individual, or for exercising official authority.
• You require the information for reasons of public health, scientific/historical research, or for the performance of a public interest task.

Each request has to be assessed on its own merits and you should be ready to justify your decision, whatever it is. If you refuse a request, you must explain why, referencing the legal reasons, and tell the individual about their right to complain to the ICO or to take the matter to court. For a full breakdown, have a look at our detailed guide on the right to be forgotten and when refusals are permitted under GDPR.

Why Is Responding to Erasure Requests So Important?

You’ve probably heard about GDPR fines, but what’s at stake if you mishandle a data erasure request? The risks are real:

• Fines from the ICO up to £17.5 million or 4% of annual global turnover – whichever is higher.
• Legal claims from affected individuals, including for damages or distress.
• Damage to your business reputation and loss of trust from customers, partners, or staff.
• Investigations and costly disruption from regulatory scrutiny.

In short: failing to handle right of erasure requests properly is a risk few businesses can afford. Setting up a robust process is essential.

How Should My Business Handle a Data Erasure Request? A Step-by-Step Guide

Let’s look at a practical process for dealing with erasure requests as smoothly and efficiently as possible.

1. Recognise Erasure Requests Quickly

Any written request – including an email, customer portal submission, or even a social media message – can count. There are no “magic words”: if someone asks you to erase or delete their personal data, you’re on the clock.

2. Confirm the Identity of the Requester

You must make sure you’re dealing with the right individual before erasing any data. Reasonable identity checks (for example, asking for confirmation of a registered email or address) are acceptable, but keep them proportionate – don’t make it needlessly difficult.

3. Assess Whether the Request Qualifies

Use the legal criteria listed above to decide if you must erase the data. Ask yourself:

• Is the data still necessary for the purpose it was collected?
• Is there a legal requirement to retain the data (such as compliance with financial regulations)?
• Is there a legitimate reason to keep processing it?

If you’re unsure, seek guidance from a data protection expert.

4. Decide and Take Action Promptly

Under UK GDPR, you usually have one month to respond to the request. If you’re erasing the data:

• Delete all copies and backups where possible.
• Remove the data from all linked services and applications.
• Inform any third parties (for example, marketing agencies or cloud storage providers) to whom you’ve disclosed the data and ask them to erase it too, where feasible.

If refusing, provide written reasons and explain the individual’s right to complain to the ICO.

5. Keep a Record of the Request and Your Decision

GDPR expects you to demonstrate compliance. Document:

• When and how the request was received.
• What checks you carried out to confirm identity.
• Your assessment and the reasons for your decision (erase or refuse).
• The actions you took, including any notifications to third parties.

Simple, accurate records will help you if the ICO ever asks for proof of compliance.

6. Let the Requester Know the Outcome

Notify the individual in writing once the erasure is completed or if their request was refused – provide an explanation and information about their next steps should they wish to challenge your decision.

Common Challenges in Data Erasure – And How to Overcome Them

Data deletion isn’t always straightforward, especially for growing businesses who use a mix of cloud services, marketing platforms, and integrations. Here’s how to tackle the hard parts:

Data Stored in Multiple Places (Including Backups)

Personal data may be duplicated across databases, third-party applications, and automated backups.

• Map out where all personal data is stored – create a data inventory.
• Set up processes to ensure data is deleted from all places (including retention and backup schedules).
• If deletion from certain backups isn’t immediately possible, ensure these backups are isolated and will eventually be overwritten or erased when feasible. Clearly explain any limitations to the requester.

For more on building robust privacy compliance processes, see our article on data privacy impact assessments.

Notifying Third Parties

If you share personal data with third parties (such as payment providers, marketing agencies, or software vendors), you must take “reasonable steps” to inform them of the erasure request, so they can delete the data as well.

• Review your consent forms and contracts to cover responsibilities for data deletion.
• Use clear agreements and privacy policies to set out procedures and expectations.

To ensure your contracts are aligned, check out our guide on contract redrafting for privacy compliance.

Data Needed for Legal or Business Reasons

Sometimes you’ll need to keep some data, such as records required for financial audits or to defend actual or potential legal claims. In these cases, only retain what’s strictly necessary for the minimum period possible. Remove or anonymise any other data you no longer need.

High Volume of Requests

If you receive multiple requests (for example, you’re a SaaS provider or marketplace with thousands of users), consider tools or systems to automate parts of the process. Even automated responses require human checks for the legal nuances!

Practical Tips to Make Your Erasure Process Smooth

Here are some ideas to make handling erasure requests easy and reduce legal risks:

• Create simple policies: Have clear, step-by-step procedures for your staff to follow as soon as a request is received. Document every step for compliance.
• Train your team: Make sure anyone handling personal data knows what to do if they get an erasure request. Training should cover recognising requests, confirming identity, and documenting decisions.
• Update your privacy policy: Clearly state how individuals can exercise their right to erasure and what your usual process involves.
• Use tailored contracts: Ensure all third-party processor agreements (for example, with IT suppliers or marketing firms) require prompt action to delete data as needed.
• Schedule regular reviews: Assess how your business handles personal data – what you collect, where it’s stored, and retention practices. Check your GDPR compliance processes are up to date.

What Should I Do If I Get an Erasure Request?

To recap, here’s the process you should follow as a business owner or manager:

1. Identify the request and make sure you understand what the person is asking you to do (they don’t have to use any “official” wording).
2. Confirm the identity of the requester so you don’t erase information from the wrong person.
3. Check if the request meets the criteria for erasure under GDPR – follow your internal checklist or get advice if you’re unsure.
4. Make a decision quickly – you must act within a month of the request (extensions apply only in complex cases).
5. Carry out the erasure or, if you have grounds to refuse, document your reasons and communicate them clearly to the requester (including the individual’s rights to escalate to the ICO).
6. Keep a complete record of the request, assessment, and actions taken for your compliance file.

If your process still feels unclear, or you are dealing with particularly complex situations (for example, international users, children’s data, or repeated requests), it’s wise to seek tailored advice from a legal expert.

How Can Sprintlaw Help?

At Sprintlaw, we specialise in helping small businesses, startups, and growing companies manage their GDPR obligations – including data erasure and other data rights. Our team can:

• Draft or review your policies and contracts to make sure you’re fully GDPR compliant.
• Help create a robust process for handling erasure (and other data rights) requests that fits your business model.

Just as you wouldn’t build a product without a solid plan, you shouldn’t risk legal trouble by leaving privacy compliance as an afterthought. Laying the right legal foundations now can prevent much bigger headaches later on.

Key Takeaways

• The GDPR right to erasure allows individuals to request the deletion of their personal data in specific circumstances – not every request must be granted, but you must assess each one carefully.
• You have up to a month to respond, so prompt action and clear internal policies are essential.
• Failure to comply can mean severe fines and reputational harm, so keeping accurate records is critical.
• When refusing requests, be ready to justify your reasoning and inform individuals of their rights to escalate.
• Clear contracts, regular reviews, and staff training will help ensure smooth and compliant data erasure processes.
• If you’re uncertain, getting expert legal advice will provide peace of mind and help you stay ahead of compliance risks.

---

Need help handling data erasure requests or reviewing your GDPR compliance? Sprintlaw can offer support with policies, contracts, and ongoing advice. Reach us on 08081347754 or at team@sprintlaw.co.uk for a free, no-obligations chat.