How Your Business Should Handle Requests for Personal Data Deletion

In an era of increasing concern for data privacy and protection, individuals have the right to be in control of their personal information. The General Data Protection Regulation (GDPR) and Data Protection Act have solidified these rights in the UK. One crucial aspect of these regulations is the right to erasure, also known as the ‘right to be forgotten’. This right empowers individuals to request the deletion of their personal data. This article explores how your UK business should handle such requests, ensuring you comply with UK law while safeguarding your customers’ privacy.

1. Understanding the Right to Erasure

The right to erasure, as outlined in Article 17 of the GDPR, is a fundamental principle of data protection. It grants individuals the right to request the deletion of their personal data when certain conditions are met.

These conditions include:

• situations where the data is no longer necessary for the purposes for which it was collected;
• the individual withdraws their consent;
• the data has been unlawfully processed; or
• there is a legal obligation to erase it.

Any failure to do so may result in enforcement action against your business by the Information Commissioner’s Office (ICO).

2. Establish Clear Procedures

One of the initial steps in handling data deletion requests from data subjects is establishing transparent and efficient procedures within your organisation.  

Your employees should understand the process and know whom to contact after receiving a request. This ensures that your business handles requests consistently and promptly.

Keeping records of all requests and actions taken in response to them is also essential, as this will help demonstrate compliance with data protection regulations.

3. Verify the Requestor’s Identity

Before proceeding with a data deletion request, you must verify the identity of the person making the request. This is to prevent unauthorised individuals from requesting the deletion of someone else’s data.

You should have a reliable system in place for identity verification, which may include requesting additional information from the requester. As long as the system contains reasonable steps, your business can safely request this information without worrying about the delay it may cause.

4. Evaluate the Request

Once you have verified the requestor’s identity, you must assess whether their request meets the criteria for data deletion as outlined in the UK GDPR.

Consider whether the data is still necessary for the purpose it was collected. Additionally, determine whether you have a legal obligation to retain it. If neither of these apply, you should proceed with the deletion.

However, suppose the data is still necessary for the purpose it was collected or you have a legal obligation to retain it. In that case, your data controller may be safe to refuse the erasure request.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

5. Inform the Requestor

After verifying the request and evaluating its legitimacy, you should inform the requestor of your decision.

If you decide to proceed with the data deletion, you must also inform them of the timeframe within which you will complete it. The GDPR mandates that you delete data without undue delay, so it is essential to act promptly.

6. Delete the Data

Once you have decided to honour the request, you must delete the data in question. This includes: 

• the data stored in your primary database;
• any backup copies; and
• any redundant copies.

It is crucial to remove all instances of the data to comply with the right to erasure fully. Most UK businesses have a privacy policy that dictates the method and nature of data deletion. Having such a policy can help guard against any legal claims.

7. Notify Third Parties

In certain circumstances, you may need to notify third parties to whom you have disclosed the data for erasure.

However, this is not always necessary, as there are exceptions under the GDPR. It is crucial to understand when you must notify these third parties and ensure they also delete the data, and it is vital to obtain legal advice when unsure of whether to do so.

Key Takeaways

The right to erasure is a fundamental aspect of data protection in the UK. Requests for personal data deletion must be handled correctly, as they are a legal obligation and an opportunity to build trust and demonstrate a commitment to customer privacy. By establishing clear procedures, verifying requestor identities, evaluating requests, and acting promptly and comprehensively, your UK business can successfully navigate the challenges of data deletion requests and reap the benefits of compliance.

In a world where data privacy is of utmost importance, the ability to respect and uphold an individual’s right to be forgotten is not just a legal requirement but also a moral imperative. By effectively handling data deletion requests alongside subject access requests, your business can balance compliance and customer satisfaction, ultimately strengthening its position in the market. 

If you need legal assistance handling personal data deletion requests, our experienced regulatory lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.