How Should My Business in England Handle Requests for Data Erasure Under the GDPR? 

As a business owner, you may receive a request to erase data. The General Data Protection Regulation (GDPR) and Data Protection Act require your business to take reasonable steps when managing personal data. Any breach of their rules can result in a hefty fine (of up to £17.5m) from the Information Commissioner’s Office (ICO). Some businesses are starting to receive requests for data erasure from individuals (otherwise known as ‘the right to be forgotten’). This article will explore situations where your business may need to delete personal information in response to an erasure request. Knowing this should help your business stay on the right side of the ICO and avoid financial penalties.

What is Data Erasure?

Data erasure occurs when an organisation deletes some of the personal information it holds on a specific individual. The right to erasure only applies in limited circumstances, so your business must determine whether to grant requests. Outside of media (and social media) organisations, most companies will likely receive requests for erasure from staff or customers.

When Should My Company Grant a Request for Erasure?

The ICO has published online guidance setting out scenarios in which an organisation should consider deleting personal data. Some noteworthy examples include where:

• information is held further to an individual’s consent, and they later withdraw that consent;
• your business uses the personal information for direct marketing purposes, and the individual later objects to that data use;
• your business is under a legal obligation to do so (for example, the GDPR requires personal data deletion further to any evidence that the personal information is inaccurate or out-of-date);
• your company later judges itself to have handled the personal information unlawfully; or
• the personal data is no longer necessary for its original purpose.

Exemptions

However, there are some exemptions against personal data erasure. This includes situations where your:

• business is processing an individual’s personal data to comply with a legal obligation;
• company needs to keep that information to bring or defend against a legal claim; and
• organisation wishes to store the information to assist freedom of expression and information.

If these exemptions apply, your organisation can deny the erasure request.

Example

Let us say that an employee left your company one month ago and has sent an email asking for the erasure of all their personal data. However, your organisation still needs to hold onto salary and payment details as part of its duty to HMRC and can refuse to delete salary-related information.  Similarly, your company needs to keep a record of employment for record-keeping purposes and to respond to future reference requests.

Additionally, your company may have a professional indemnity policy which requires your business to retain employee records following their departure. Often, these apply to guard the business against Employment Tribunal or Personal Injury claims.

Reasons for Refusal

If no exemptions apply, there is still a chance that your company could safely deny an erasure request. This is the case if the request is:

• manifestly unfounded; or 
• excessive. 

Both phrases have different meanings, so let us explore them further below.

Manifestly Unfounded

The phrase manifestly unfounded primarily covers two types of situations. The first is where an individual has no real intention to exercise their right to erasure (for example, they request deletion of data but, in the same email, offer to drop the request in exchange for money). The second scenario involves the request for erasure as a malicious attempt to harass an organisation. For example, sending several weekly requests to hassle workers and cause business disruption. 

Excessive

The word excessive describes a situation in which the individual sends multiple requests for erasure that overlap with previous requests or simply repeat previously denied requests.

If your organisation refuses a data erasure request, it should confirm this to the individual in writing within one month of the request. Your correspondence should confirm why it has declined the request and the individual’s ability to complain to the ICO.

Example

Let us say that an employee left your organisation two months ago because their favourite manager retired and they dislike the new manager. You are aware that the new manager made every effort with the individual but to no avail. The individual now sends an email every working day requesting the deletion of a different piece of data, with each email saying that the requests will stop if the company pays them £5,000.

Key Takeaways

Requests for data erasure are often unpopular with business owners. This is mainly due to their time-consuming nature and the inability to charge a fee (except in certain circumstances where the request is manifestly unfounded or excessive). In any event, your business should notify the individual whether the data erasure request is accepted or rejected within one month of the request. 

If you need help deciding whether to approve or reject a data erasure request, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page. 

Frequently Asked Questions