Skip to content
LegalVision UK

How Should My Business in England Handle Requests for Data Erasure Under the GDPR? 

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

As a business owner, you may receive a request to erase data. The General Data Protection Regulation (GDPR) and Data Protection Act require your business to take reasonable steps when managing personal data. Any breach of their rules can result in a hefty fine (of up to £17.5m) from the Information Commissioner’s Office (ICO). Some businesses are starting to receive requests for data erasure from individuals (otherwise known as ‘the right to be forgotten’). This article will explore situations where your business may need to delete personal information in response to an erasure request. Knowing this should help your business stay on the right side of the ICO and avoid financial penalties.

What is Data Erasure?

Data erasure occurs when an organisation deletes some of the personal information it holds on a specific individual. The right to erasure only applies in limited circumstances, so your business must determine whether to grant requests. Outside of media (and social media) organisations, most companies will likely receive requests for erasure from staff or customers.

When Should My Company Grant a Request for Erasure?

The ICO has published online guidance setting out scenarios in which an organisation should consider deleting personal data. Some noteworthy examples include where:

  • information is held further to an individual’s consent, and they later withdraw that consent;
  • your business uses the personal information for direct marketing purposes, and the individual later objects to that data use;
  • your business is under a legal obligation to do so (for example, the GDPR requires personal data deletion further to any evidence that the personal information is inaccurate or out-of-date);
  • your company later judges itself to have handled the personal information unlawfully; or
  • the personal data is no longer necessary for its original purpose.
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Exemptions

However, there are some exemptions against personal data erasure. This includes situations where your:

  • business is processing an individual’s personal data to comply with a legal obligation;
  • company needs to keep that information to bring or defend against a legal claim; and
  • organisation wishes to store the information to assist freedom of expression and information.

If these exemptions apply, your organisation can deny the erasure request.

Example

Let us say that an employee left your company one month ago and has sent an email asking for the erasure of all their personal data. However, your organisation still needs to hold onto salary and payment details as part of its duty to HMRC and can refuse to delete salary-related information.  Similarly, your company needs to keep a record of employment for record-keeping purposes and to respond to future reference requests.

Additionally, your company may have a professional indemnity policy which requires your business to retain employee records following their departure. Often, these apply to guard the business against Employment Tribunal or Personal Injury claims.

Reasons for Refusal

If no exemptions apply, there is still a chance that your company could safely deny an erasure request. This is the case if the request is:

  • manifestly unfounded; or 
  • excessive. 

Both phrases have different meanings, so let us explore them further below.

Manifestly Unfounded

The phrase manifestly unfounded primarily covers two types of situations. The first is where an individual has no real intention to exercise their right to erasure (for example, they request deletion of data but, in the same email, offer to drop the request in exchange for money). The second scenario involves the request for erasure as a malicious attempt to harass an organisation. For example, sending several weekly requests to hassle workers and cause business disruption. 

Excessive

The word excessive describes a situation in which the individual sends multiple requests for erasure that overlap with previous requests or simply repeat previously denied requests.

If your organisation refuses a data erasure request, it should confirm this to the individual in writing within one month of the request. Your correspondence should confirm why it has declined the request and the individual’s ability to complain to the ICO.

Example

Let us say that an employee left your organisation two months ago because their favourite manager retired and they dislike the new manager. You are aware that the new manager made every effort with the individual but to no avail. The individual now sends an email every working day requesting the deletion of a different piece of data, with each email saying that the requests will stop if the company pays them £5,000.

Here, your company can likely demonstrate the request to be manifestly unfounded. You may show beyond reasonable doubt that the individual is motivated by financial gain. They would also likely constitute excessive requests because they all relate to employment-related information and overlap.

Key Takeaways

Requests for data erasure are often unpopular with business owners. This is mainly due to their time-consuming nature and the inability to charge a fee (except in certain circumstances where the request is manifestly unfounded or excessive). In any event, your business should notify the individual whether the data erasure request is accepted or rejected within one month of the request. 

If you need help deciding whether to approve or reject a data erasure request, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

Why is there a one-month time limit to respond to a data erasure request?

Because the ICO believes it is in the public interest for businesses in England to prioritise valid requests and avoid undue delay. They believe setting such a short timeframe means that organisations must consider the matter swiftly.

What if one month is not long enough?

Your business is only permitted to spend more than one month considering a request if it is complex. The ICO sets a high bar when considering whether a request is complex enough to justify an extension of time. In any event, you must notify the individual of the extension of time within one month.

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Five GDPR-Related Cybersecurity Mistakes Business Owners Make in the UK

4 Common Challenges Your Company Will Face With the GDPR in the UK

Four Tips to Safely Handle Subject Access Requests in England

When Could Your Business Face a Fine From the ICO for Breaching the GDPR in the UK?

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times