Skip to content

How Your Business Should Handle Requests for Personal Data Deletion

Table of Contents

In an era of increasing concern for data privacy and protection, individuals have the right to be in control of their personal information. The General Data Protection Regulation (GDPR) and Data Protection Act have solidified these rights in the UK. One crucial aspect of these regulations is the right to erasure, also known as the ‘right to be forgotten’. This right empowers individuals to request the deletion of their personal data. This article explores how your UK business should handle such requests, ensuring you comply with UK law while safeguarding your customers’ privacy.

1. Understanding the Right to Erasure

The right to erasure, as outlined in Article 17 of the GDPR, is a fundamental principle of data protection. It grants individuals the right to request the deletion of their personal data when certain conditions are met.

These conditions include:

  • situations where the data is no longer necessary for the purposes for which it was collected;
  • the individual withdraws their consent;
  • the data has been unlawfully processed; or
  • there is a legal obligation to erase it.

In the context of a UK business, if a customer or user requests the deletion of their personal data, you must take their request seriously and act upon it promptly, provided it meets the criteria outlined in the GDPR.

Any failure to do so may result in enforcement action against your business by the Information Commissioner’s Office (ICO).

2. Establish Clear Procedures

One of the initial steps in handling data deletion requests from data subjects is establishing transparent and efficient procedures within your organisation.  

Your employees should understand the process and know whom to contact after receiving a request. This ensures that your business handles requests consistently and promptly.

Keeping records of all requests and actions taken in response to them is also essential, as this will help demonstrate compliance with data protection regulations.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

3. Verify the Requestor’s Identity

Before proceeding with a data deletion request, you must verify the identity of the person making the request. This is to prevent unauthorised individuals from requesting the deletion of someone else’s data.

You should have a reliable system in place for identity verification, which may include requesting additional information from the requester. As long as the system contains reasonable steps, your business can safely request this information without worrying about the delay it may cause.

4. Evaluate the Request

Once you have verified the requestor’s identity, you must assess whether their request meets the criteria for data deletion as outlined in the UK GDPR.

Consider whether the data is still necessary for the purpose it was collected. Additionally, determine whether you have a legal obligation to retain it. If neither of these apply, you should proceed with the deletion.

However, suppose the data is still necessary for the purpose it was collected or you have a legal obligation to retain it. In that case, your data controller may be safe to refuse the erasure request.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

5. Inform the Requestor

After verifying the request and evaluating its legitimacy, you should inform the requestor of your decision.

If you decide to proceed with the data deletion, you must also inform them of the timeframe within which you will complete it. The GDPR mandates that you delete data without undue delay, so it is essential to act promptly.

6. Delete the Data

Once you have decided to honour the request, you must delete the data in question. This includes: 

  • the data stored in your primary database;
  • any backup copies; and
  • any redundant copies.

It is crucial to remove all instances of the data to comply with the right to erasure fully. Most UK businesses have a privacy policy that dictates the method and nature of data deletion. Having such a policy can help guard against any legal claims.

7. Notify Third Parties

In certain circumstances, you may need to notify third parties to whom you have disclosed the data for erasure.

However, this is not always necessary, as there are exceptions under the GDPR. It is crucial to understand when you must notify these third parties and ensure they also delete the data, and it is vital to obtain legal advice when unsure of whether to do so.

Key Takeaways

The right to erasure is a fundamental aspect of data protection in the UK. Requests for personal data deletion must be handled correctly, as they are a legal obligation and an opportunity to build trust and demonstrate a commitment to customer privacy. By establishing clear procedures, verifying requestor identities, evaluating requests, and acting promptly and comprehensively, your UK business can successfully navigate the challenges of data deletion requests and reap the benefits of compliance.

In a world where data privacy is of utmost importance, the ability to respect and uphold an individual’s right to be forgotten is not just a legal requirement but also a moral imperative. By effectively handling data deletion requests alongside subject access requests, your business can balance compliance and customer satisfaction, ultimately strengthening its position in the market. 

If you need legal assistance handling personal data deletion requests, our experienced regulatory lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards