Handling GDPR Deletion Requests In The UK

If you collect customer names, emails or purchase history, you’ll eventually get a GDPR deletion request. Don’t stress - with a clear process and the right documentation, you can respond lawfully and keep trust with your customers.

In this guide, we explain what a GDPR data deletion request is, when you must (and don’t have to) delete data, and a step-by-step workflow you can adapt for your business. We’ll keep it practical and focused on what UK SMEs actually need to do under UK GDPR and the Data Protection Act 2018.

What Is A GDPR Deletion Request (Right To Erasure)?

A GDPR deletion request (also called a “right to erasure” request under Article 17 UK GDPR) is when an individual asks you to delete their personal data. This right isn’t absolute - you need to assess whether a legal basis for retaining the data still applies, or whether you must erase it.

Personal data means any information relating to an identified or identifiable person, such as names, emails, addresses, IPs, device IDs, purchase or support history, and behavioural data. If you can link the information back to a person (directly or indirectly), treat it as personal data.

As a controller, you must respond “without undue delay” and within one month. You can extend by up to two further months if the request is complex or you’ve received numerous requests, but you must tell the individual within the first month why you’re extending and when you will respond.

Typical reasons why an individual might exercise the right to erasure include:

• The data is no longer necessary for the purpose you collected it for (e.g. a one-off giveaway is over).
• They withdraw consent where consent was your lawful basis.
• They object to processing based on your legitimate interests and there are no overriding interests to continue.
• The data was processed unlawfully (e.g. you didn’t have a lawful basis).
• You must erase to comply with a legal obligation.
• The data relates to a child’s consent for information society services.

Most small businesses will deal with deletion requests connected to marketing, account closures or customer support records. If your Privacy Policy is clear about why you collect data and how long you keep it, you’re already halfway to an efficient, compliant response.

When Can You Refuse Or Limit A GDPR Data Deletion Request?

There are important exemptions and limitations. You may refuse to erase (or erase some data but not all) where processing is necessary for:

• Compliance with a legal obligation (e.g. retaining VAT invoices for tax law).
• Establishing, exercising or defending legal claims (e.g. keeping complaint correspondence while a dispute is live).
• Freedom of expression or information, public interest in public health, archiving, research or statistical purposes (more common for larger organisations).

Under the Data Protection Act 2018, there are additional UK-specific exemptions. For small businesses, the most relevant are likely to relate to legal claims and regulatory obligations. If you’re refusing a request (in whole or part), you must tell the individual within one month why you’re refusing, reference the lawful exemption, and inform them of their right to complain to the ICO.

Crucially, if your only reason for holding data is direct marketing and someone asks you to delete, you must stop marketing. In practice, it’s often better to suppress the email in your marketing list rather than physically purge it entirely - otherwise you risk re-adding them later by mistake. We explain suppression versus deletion below.

Before refusing, double-check overlapping data rights. A deletion request often arrives alongside a subject access request or objection to processing. Make sure your timeline and decision-making account for SAR deadlines and any applicable SAR exemptions so your response is consistent and lawful.

A Step-By-Step Process To Handle A GDPR Deletion Request

Here’s a practical workflow you can adapt to your business. Document this as your internal procedure, train your team, and you’ll take the panic out of deletion requests.

1) Capture The Request And Pause Non-Essential Processing

Log the request the day it arrives, whether it comes via email, a form or social media. If the person is on an active marketing list, pause campaigns to that individual while you assess the request. A simple ticketing or spreadsheet register works if you’re a small team.

2) Verify Identity (Proportionately)

You must be sure you’re dealing with the right person. Use reasonable verification based on the data you hold - for example, verify via the email address on their account or ask for order details you already store. Be careful not to collect excessive new data to verify identity.

3) Locate All Relevant Systems And Vendors

Identify where the person’s data lives. Think beyond your CRM: marketing platforms, analytics tools, helpdesk, finance systems, backups and any processors (suppliers handling data for you). Your vendor list should come from your records of processing and your Data Processing Agreement arrangements with suppliers.

4) Assess Your Lawful Basis To Keep Or Delete

For each category of data, decide if you must erase or can lawfully retain. Typical outcomes:

• Marketing data held under consent or legitimate interests: erase or suppress from marketing.
• Account data where a contract has ended: erase if not needed for legal retention or legitimate interests.
• Financial records: retain for statutory periods (e.g. HMRC), but restrict access and purpose.
• Complaint or dispute data: retain if needed for legal claims, then diarise deletion once risk passes.

Your data retention schedule should set default timeframes so decisions are faster and consistent.

5) Action Erasure And Document What You Did

Delete the data from live systems and instruct processors to erase too. Keep a minimal internal audit note of what you deleted, which systems and when. This record helps if the ICO asks about your decision-making. Avoid retaining content that reconstructs the personal data you’ve just erased - an anonymised or aggregated note is usually enough.

6) Handle Suppression For Marketing

To ensure you don’t email someone again by accident, add their email to a suppression list. Suppression means you keep a minimal identifier solely to block future marketing - not to market to them. This is generally accepted practice and a practical way to respect both the deletion request and marketing law (including PECR).

7) Backups And Archived Data

You don’t need to pull apart backups if it would be disproportionate, provided you have a policy that prevents restoring the individual’s data to production systems. The data should be overwritten in the normal backup cycle. Make sure your policy and technical controls align with what you’re telling people.

8) Respond Within One Month (Or Explain An Extension)

Write back clearly within one month to confirm what you deleted, what you’ve suppressed, anything you’re lawfully keeping (and why), and that you’ve informed processors where relevant. If you extended the deadline, explain why, and provide a new date. It’s good practice to signpost complaints to the ICO in your response template.

If a deletion request arrives bundled with other rights (access, rectification, restriction), align your timelines and communications with your overall DSAR workflow. A simple playbook that cross-refers to your DSAR deadlines will save you headaches when things get busy.

Deletion Versus Suppression, Backups And Vendor Systems

Deletion and suppression are different tools - and you’ll often use both.

Deletion

Deletion means removing the personal data so it can’t be used to identify the person. In some systems that’s a “hard delete”; in others, you may anonymise the record so you can still see analytics (e.g. “10 purchases this month”) without linking back to a person.

Suppression

Suppression means keeping a minimal identifier solely to honour the request going forward - a common approach in email marketing platforms. This prevents accidental re-subscription and is compatible with the right to object to direct marketing.

Backups And Disaster Recovery

For backups, the ICO recognises that erasing from backups can be technically complex. The key is to ensure the data is not put back into active use and is overwritten in the normal course. Your response should explain this clearly so the individual understands what will happen.

Processors And Vendors

Don’t forget your suppliers. If a processor (like a CRM or helpdesk provider) holds the data, you must instruct them to erase it and ensure your contract supports that instruction. This is why having a robust Data Processing Agreement with each vendor is essential. You should also keep a simple processor register so your team knows who to contact when a request comes in.

If you’re also reassessing which data you collect in the first place, review your consent and cookie practices. Many requests stem from unnecessary collection at the outset, so tightening up cookie banners and analytics settings can reduce future workload.

Build Your Data Deletion Framework (Policies, Records, Contracts)

Responding to one-off requests is much easier if you’ve set the groundwork. Here’s what we recommend for SMEs.

Have Clear Public-Facing Information

• A concise, accurate Privacy Policy explaining what you collect, why, your lawful bases, and how long you keep data.
• Plain-language instructions for users on how to make a request (email address or web form is fine).

Maintain Internal Policies And Records

• A data retention and deletion schedule that maps categories of data to default retention periods, aligned with your legal obligations and business needs.
• A DSAR and deletion request playbook covering verification, assessment, suppression, contacting processors, backup handling and response templates.
• Records of processing activities (at least a simple inventory) so you can find data and act quickly.

If you’re building these from scratch, a bundled approach like a Data Protection Pack can be a practical way to standardise your templates, retention schedule and processes.

Tighten Your Vendor Contracts And Tech Stack

• Ensure each processor contract includes prompt assistance with data subject rights and secure deletion on instruction - a robust Data Processing Agreement is key.
• Prefer tools that support user-level deletion/anonymisation and suppression lists.
• Minimise data collection at source - if you don’t collect it, you don’t have to delete it later.

Train Your Team

Most requests are handled by customer support or marketing. Give them a simple checklist, escalation criteria (e.g. legal claims), and copy-approved response templates. A short training session once or twice a year keeps everyone aligned.

Keep An Eye On Related Obligations

Deletion requests often expose gaps elsewhere. As you refine your process, check that your approach to GDPR data deletion, retention timelines and lawful bases line up consistently. If you use cloud storage or collaboration tools, it’s worth confirming they’re configured appropriately and meet your compliance needs.

Key Takeaways

• A GDPR deletion request (right to erasure) must be handled “without undue delay” and within one month - you can extend by two months for complex cases if you explain why within the first month.
• The right isn’t absolute. You may refuse or limit erasure where you must keep data to comply with legal obligations (like tax records) or to establish, exercise or defend legal claims - explain your decision and inform the individual of their ICO rights.
• Adopt a clear, repeatable workflow: log the request, verify identity, locate data across all systems, assess lawful bases, erase where required, suppress for marketing, handle backups appropriately, and respond on time.
• Use suppression lists to prevent future marketing to someone who has opted out, and ensure processors delete data when instructed under your Data Processing Agreement.
• Foundations matter: a transparent Privacy Policy, a practical retention and deletion schedule, and a DSAR playbook will make requests quicker and less risky to manage.
• Map your legal timelines across rights requests. Align your deletion workflow with your DSAR deadlines and consider relevant SAR exemptions so your responses are consistent.
• Minimise collection and keep retention disciplined. Shorter retention and fewer data points mean fewer headaches when deletion requests arrive.

If you’d like tailored help to set up a deletion request workflow, create a retention schedule, or draft a compliant Privacy Policy and Data Processing Agreements, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.