Skip to content

Three Circumstances in Which Your UK Business Can Safely Delete Personal Information

Table of Contents

Every UK business handles personal data belonging to customers, staff and third parties. The General Data Protection Regulation (GDPR) outlines the necessary data protection requirements for processing and storing personal information. This article will detail three circumstances in which your UK business can safely delete personal information. Doing so ensures your organisation avoids an investigation by the Information Commissioner’s Office (ICO) for a potential breach of the GDPR.

What is the GDPR?

The UK General Data Protection Regulation (GDPR) sets out vital data protection rules for UK organisations. There is a genuine threat of substantial fines from the ICO upon any GDPR breach. This is one of the main factors in UK business owners seeking to comply with GDPR legal obligations. 

The GDPR focuses on safely handling, processing and storing personal data.

Some of its main principles regarding personal information include:

  • Data Minimisation: your company should only store relevant personal data;
  • Purpose Limitation: your business should only use personal information for the reasons given upon initial collection;
  • Accuracy: you should ensure that all personal data is kept fully up-to-date;
  • Data Integrity: your company should fully protect personal information by all reasonable physical and digital means; and
  • Storage Limitation: you should delete information when no longer relevant or necessary.

The GDPR principles make two points clear: 

  • personal information should remain accurate; and 
  • businesses must take reasonable steps to delete it when it is no longer relevant.  

However, deleting information too early can cause issues with safely carrying out your business. For example, suppose you deleted a customer’s home address too early and needed to send them a replacement item. This situation could also constitute a GDPR breach in the ICO’s eyes.

Who are the ICO?

The Information Commissioner’s Office (ICO) is an independent body formed by the UK Government. Most UK companies respect the ICO and aim to comply with its online GDPR guidance due to its ability to impose financial penalties of up to £17.5m on UK businesses. 

The ICO is happy with businesses that delete personal information in line with GDPR principles but may regard instances of early data deletion as a GDPR breach. So, it is worth ensuring that personal data is deleted through a sensible system (such as a regular data audit) to avoid any risk of ICO fines for unlawful data deletion.

Let us explore three circumstances in which your UK business can safely delete personal information.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

1. Out-of-Date or Inaccuracies

The GDPR clarifies that businesses should ensure all personal data relating to individuals is kept up-to-date. For example, double-check address details, contact information and credit card details from time to time.

This requirement is one of the reasons why some businesses ask staff to update their contact details at the start of each year.

Your business will be able to delete personal data in any of the following scenarios:

  • the individual is now deceased;
  • their contact details no longer work (for example, calls to their stated telephone number go through to a different person); or
  • you know the individual must have moved house or changed their contact details (but do not know any updated information). 

2. Irrelevance 

The GDPR only permits UK organisations to store personal information when necessary and relevant. For example, if your business supplies goods to another company each week, it is acceptable to store the organisation’s name, postal address, telephone number and email address. However, requesting the Director’s national insurance number would be irrelevant and unnecessary.

However, suppose your business stops delivering to the company and has not done so for five years. In that case, it should delete their contact details from your system as these are now irrelevant and, potentially, out-of-date.

3. Individual Deletion Requests

The GDPR allows an individual to ask your business to delete their personal information if specific grounds apply. This is known as an ‘erasure request’ based on the ‘right to erasure’. The most common ground is where the individual’s personal information is no longer necessary concerning the purpose for which it was collected or processed.

If your business runs an online social media platform and someone logs off and asks for the complete deletion of all previous posts and content, your company should do this without delay.

However, it is worth noting the phrase ‘no longer necessary’. If the individual wishes to keep doing business with you. Accordingly, you must explain this to them. Many businesses have no issue with an individual asking for the deletion of data in this way (once they have verified their identity) because every person has this right under the GDPR.

Key Takeaways

The starting point is that the GDPR allows UK businesses to delete personal data in certain circumstances. However, many business owners obtain legal advice before deletion, given the value of customer information and the adverse customer reaction to personal information being ‘lost’ or ‘deleted’ without permission.  

If you need help ensuring the safe deletion of personal information, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why does the GDPR only permit deletion in specific circumstances?

Because the GDPR recognises the importance of personal information not being lost or deleted whilst still relevant, for example, it could cause the data subject enormous harm to have their medical records deleted without their prior consent.

How important is verifying an individual’s identity after an erasure request?

This is very important because there is a chance that a malicious actor is trying to trick your business into deleting an individual’s personal data. If this causes financial harm to the individual, you could face legal claims from them. Because of this, the ICO would ensure your organisation obtains additional information that makes you confident that the individual is genuine.

Register for our free webinars

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards