How UK Businesses Should Handle Data Deletion Requests Under GDPR

If you run a small business in the UK, sooner or later you’ll probably receive a request from someone asking you to delete their personal data (sometimes called a “right to erasure” request).

This can feel stressful - especially if you’re juggling day-to-day operations and you’re not sure what you’re allowed to delete, what you must keep, and how quickly you need to respond.

The good news is: with a clear process (and the right paperwork), handling a deletion request under UK GDPR is very manageable. In this guide, we’ll walk you through what a request to delete personal data means, when you must comply, when you can refuse, and how to respond in a way that protects your business.

What Is A Request To Delete Personal Data (And When Does It Apply)?

A request to delete personal data is typically an individual exercising their right to erasure under the UK GDPR (as supplemented by the Data Protection Act 2018). In practical terms, they’re asking you to remove information that identifies them - for example, customer records, marketing profiles, account details, or employee-related data.

Personal data is any information that relates to an identified or identifiable individual, such as:

• Names, emails, phone numbers, and postal addresses
• Customer account IDs or loyalty membership numbers
• IP addresses and certain cookie identifiers (depending on context)
• HR records, performance notes, or payroll details
• Special category data like health information (extra protections apply)

For UK businesses, deletion requests often come up in situations like:

• A former customer closes their account and wants all records removed
• A marketing contact unsubscribes and wants their details erased (not just “opted out”)
• A previous job applicant asks you to delete their CV and interview notes
• An employee leaves and wants certain information removed from internal systems

It’s also worth noting that a deletion request can arrive in different forms. It might be a formal email quoting “GDPR”, or it could simply say: “Please delete my details.” Either way, you should treat it as a potential data rights request and handle it properly.

Having clear customer-facing wording in your Privacy Policy is one of the easiest ways to reduce confusion and set expectations from the outset (including what you can and can’t delete).

Do You Have To Comply With Every Request To Delete Personal Data?

No - and this is where many businesses get caught out.

UK GDPR gives people the right to ask you to delete their personal data, but it’s not an absolute right. Whether you must comply depends on:

• Why you collected the data
• What lawful basis you relied on (e.g. contract, legal obligation, legitimate interests, consent)
• Whether you still need the data for a legitimate and lawful reason
• Whether an exemption applies

Common Situations Where You Usually Must Delete

In many small business settings, you’ll usually need to erase data where:

• The personal data is no longer necessary for the purpose you collected it for
• The individual withdraws consent (and consent was your lawful basis)
• The person successfully objects to processing (for example, direct marketing)
• The personal data was processed unlawfully

A very common example is marketing. If you’re holding someone’s information purely to send marketing emails and they ask you to delete their data, you’ll often have to erase it (though you may still keep a minimal suppression record to ensure you don’t accidentally market to them again - more on that below).

Common Situations Where You Can Refuse Or Partly Refuse

There are several lawful reasons you might not be able to delete everything, even if you’d like to keep the customer happy.

You may be entitled (or required) to keep personal data where it’s necessary for:

• Compliance with a legal obligation (for example, certain tax and accounting record-keeping requirements may apply, depending on your business and the type of records)
• Performance of a contract (where the contract is still ongoing or disputes remain)
• Establishing, exercising, or defending legal claims (e.g. you need records in case of a complaint or claim)
• Freedom of expression and information (more relevant to publishers/media)
• Public interest tasks (less common for typical SMEs)

In practice, many deletion requests result in a partial deletion outcome - you delete what you can, and you retain what you must, with clear reasoning documented.

Also, be careful not to confuse deletion with other rights. Sometimes what someone really wants is “Tell me what you hold about me” or “Stop marketing to me.” That may be closer to a Subject Access Request or an objection to direct marketing, not erasure.

Step-By-Step: How To Respond To A Request To Delete Personal Data

Having a consistent workflow is the best way to stay compliant (and avoid a panicked scramble through inboxes and systems).

1. Log The Request Immediately

Create a simple internal log (spreadsheet is fine for many small businesses) recording:

• Date received
• Who made the request and how they contacted you
• What they asked for (delete everything? delete marketing data only?)
• Deadline for response
• Team member responsible
• Outcome and date closed

This helps you demonstrate accountability if the ICO ever asks what you did and when.

2. Verify The Person’s Identity (But Don’t Overdo It)

You should take reasonable steps to confirm you’re deleting the right person’s data - and not handing control of someone else’s data to an impersonator.

However, you should only request enough information to verify identity. For example:

• If the request comes from the email address linked to their account, that may be sufficient
• If there’s doubt, ask for an additional identifier you already hold (e.g. order number)
• Avoid collecting unnecessary documents (like copies of passports) unless genuinely needed

Remember: collecting extra ID documents creates more personal data and more security responsibility.

3. Clarify The Scope Of The Request

Many people don’t actually mean “delete everything everywhere.” They may only want:

• Marketing profiles removed
• An online account deleted
• Old contact details updated and the incorrect version removed

If the request is unclear, you can ask follow-up questions. This is especially useful if your business has multiple systems (CRM, newsletter platform, accounting software, customer support platform).

4. Check Your Lawful Basis And Whether You Need To Keep Anything

This is the core legal step. For each category of personal data, ask:

• Why do we have this data?
• Do we still need it?
• Are we required to keep it by law?
• Could we minimise it instead (e.g. anonymise or restrict access)?

This is where a well-defined data retention approach is gold. If you don’t already have a retention plan, it’s worth implementing one aligned with UK GDPR principles (data minimisation and storage limitation). Data retention decisions also connect closely to breach risk management - keeping data “just in case” can increase your exposure if something goes wrong.

If you ever face an incident involving retained data, a clear data breach response plan can make a massive difference to how calmly and quickly you can respond.

5. Delete, Anonymise, Or Restrict Access (And Include Backups In Your Thinking)

When you comply with a request to delete personal data, “delete” can mean different practical actions depending on your systems and obligations:

• Deletion: removing the record entirely from active systems
• Anonymisation: irreversibly removing identifiers so the person is no longer identifiable
• Restriction: retaining data but locking it down (e.g. for legal claims) and not using it for other purposes

Backups are a common pain point. You generally don’t have to redesign your entire backup architecture to deal with a single deletion request, but you should ensure that:

• Data isn’t restored into active systems without reapplying the deletion
• You have a reasonable backup retention period
• Your approach is documented and consistent

If you use third-party suppliers (email marketing tools, CRMs, HR platforms), you’ll often need to action deletions there too. Make sure you know which suppliers are “processors” and what your contract says about assisting with data subject rights.

6. Respond Within The Time Limit

In most cases, you must respond to a deletion request within one month. This is a calendar month, not 30 business days.

You can extend the deadline by up to two further months if the request is complex or you’ve received multiple requests - but you should tell the person within the original one-month period and explain why.

If you’re also handling access requests at the same time, it helps to understand the usual timing expectations and what “on time” looks like in practice - the same discipline applies to deletion requests too. (For reference, businesses often manage deadlines using the same workflow principles as SAR response timescales.)

7. Confirm What You Did (And What You Kept)

Your response should be clear, polite, and specific. If you deleted the data, confirm:

• What categories of data were erased
• Which systems you erased from (where appropriate)
• Whether any third parties were notified (if relevant)

If you didn’t delete everything, explain:

• What you retained
• The lawful reason you retained it (e.g. legal obligation, legal claims)
• How long you expect to keep it (or what triggers deletion later)
• That you will restrict its use to that purpose

Done properly, this approach usually reduces follow-up complaints because the person can see you’ve taken the request seriously.

What Can Go Wrong (And How To Protect Your Business)?

Most GDPR problems for small businesses don’t come from bad intentions - they come from messy systems and unclear responsibilities.

Here are common risk areas when handling a request to delete personal data, and how you can avoid them.

Accidentally Deleting Data You Must Keep

For example, deleting invoices and transaction records may create accounting and tax issues (and the specific records you must keep - and for how long - can depend on your business and circumstances). A better approach is often to:

• Remove the person from marketing lists and operational systems where no longer needed
• Retain minimum necessary data in your accounting system to comply with legal obligations
• Restrict access internally so the data isn’t used for unrelated purposes

Keeping Too Much “Just In Case”

Holding personal data indefinitely increases risk. If you can’t justify why you still need a category of personal data, you’re more exposed to:

• Complaints to the ICO
• Security incidents involving legacy data
• Extra time and cost when responding to data rights requests

As a practical step, map your data flows (what you collect, where it goes, who can access it) and set internal rules for retention and deletion.

Missing Data Stored In “Hidden” Places

Personal data often exists outside your main systems, such as:

• Email inboxes (sales@, support@)
• Spreadsheets and shared drives
• Slack/Teams messages
• Recorded calls or meeting notes

It’s worth setting internal rules about where customer data can be stored and how long it should remain there.

Some businesses formalise this within internal IT and data rules (especially if staff use personal devices or mixed work/personal tools). Your approach to workplace data handling can also intersect with general compliance around phone and digital communications - for example, if your team uses personal phones for work, it’s wise to understand the GDPR pitfalls discussed in work phones vs BYOD.

Not Having A Written Process (So Everyone Does Something Different)

Even if you’re a small team, consistency matters. You don’t want one staff member deleting everything immediately, and another staff member ignoring requests because they’re unsure.

At minimum, document:

• Who is responsible for handling requests
• How requests are verified
• Where data is stored
• How deletion is actioned across systems
• How responses are drafted and approved

A simple written policy is often enough - and it can be built into your general compliance approach alongside other key documents.

Practical Tips: Policies, Contracts, And Data Hygiene That Make Deletion Requests Easier

Handling a request to delete personal data is much easier when your business has good “data hygiene” from day one.

Here are practical steps that tend to make the biggest difference for SMEs.

Keep Your Privacy Disclosures Up To Date

Your privacy disclosures should explain (in plain English):

• What personal data you collect and why
• Your lawful bases
• How long you keep data (or how you decide retention periods)
• How individuals can request deletion (and other rights)

This is why having a properly drafted Privacy Policy matters - it sets expectations early and reduces disputes later.

Use Data Minimisation As A Default

If you don’t need it, don’t collect it. If you don’t need it anymore, delete it (or anonymise it).

For example:

• Don’t collect dates of birth unless you have a real purpose (like age verification)
• Don’t store copies of ID documents unless legally required
• Don’t keep old applicant CVs indefinitely without a clear retention policy

This also applies to high-risk identifiers. For example, if you collect national insurance numbers for payroll purposes, that’s likely personal data and you should secure it carefully and retain it only as long as needed. (If you’re unsure how certain identifiers are treated, see how UK GDPR generally approaches identifiers like those discussed in national insurance numbers as personal data.)

Plan For “Suppression Lists” In Marketing

If someone asks you to delete their data, you may still need to keep a limited record of their email address on a “do not contact” list, so you don’t accidentally re-add them and start marketing again.

This can be GDPR-friendly if it’s properly limited and used only for compliance (not for marketing). The key is to keep it minimal and justify it.

Make Sure Your Supplier Contracts Support Erasure

If suppliers process personal data on your behalf, your contracts should require them to:

• Process data only on your instructions
• Help you comply with data subject rights requests (including deletion)
• Apply appropriate security measures
• Notify you of breaches

This is particularly important for HR, CRM, email marketing, and cloud storage providers.

Train Your Team (Because Requests Often Land In General Inboxes)

Deletion requests don’t always land neatly in a “privacy@” inbox. They might go to your customer support team, your admin team, or even your social media DMs.

A quick internal training and a simple script like “Thanks - we’ve received your request and will respond within one month after verifying your identity” can prevent delays and missteps.

Key Takeaways

• A request to delete personal data is a UK GDPR right, but it’s not absolute - you may be allowed (or required) to retain some data for legal obligations or legal claims.
• Responding properly usually means logging the request, verifying identity, clarifying scope, assessing lawful basis, deleting/anonymising/restricting data, and replying within one month.
• Partial deletion is common: you can erase marketing and non-essential records while keeping minimum necessary data for tax, accounting, and dispute management.
• Good data hygiene makes compliance easier - minimise what you collect, keep clear retention rules, and ensure third-party suppliers can assist with deletion requests.
• A clear Privacy Policy and documented internal process reduce confusion, help you stay consistent, and lower the risk of ICO complaints.

Note: This article is general information only and isn’t tax advice. Legal and record-keeping obligations (including retention periods) can vary depending on your business and circumstances.

If you’d like help putting the right GDPR processes and documents in place (or responding to a deletion request you’ve already received), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.